[jboss-jira] [JBoss JIRA] (ELY-904) Logout notification support for HTTP-based authentication mechanisms

Pedro Igor (JIRA) issues at jboss.org
Fri Feb 3 07:17:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13358260#comment-13358260 ] 

Pedro Igor commented on ELY-904:
--------------------------------

I stepped back and pushed changes related with the addition of a logout method to {{HttpServerAuthenticationMechanism}}.

Support this via notification is really possible for session based mechanism, given that usually we just need to invalidate session and not write to the response.

If our HTTP API were allowing mechs to write to the response without necessary calling one of those "complete methods" (authenticationComplete, noAuthInProgress, etc) we can avoid adding this method and just support LOGOUT notification in our API.  

> Logout notification support for HTTP-based authentication mechanisms
> --------------------------------------------------------------------
>
>                 Key: ELY-904
>                 URL: https://issues.jboss.org/browse/ELY-904
>             Project: WildFly Elytron
>          Issue Type: Enhancement
>          Components: HTTP
>    Affects Versions: 1.1.0.Beta21
>            Reporter: Pedro Igor
>            Assignee: Pedro Igor
>
> I think it makes sense to also allow HTTP mechanisms to handle logouts. Logout is tightly related with authentication and mechanisms should be able to act properly during logout requests.
> Although only a few set of mechanisms support logout, I think adding a default method  {{org.wildfly.security.http.HttpServerAuthenticationMechanism#logout}} will make our API even more complete and capable of supporting more use cases.
> The main use case for this enhancement is programmatic logout. In this case, logout can be triggered from inside an application which in turn delegates the logout logic to the mechanism that authenticated an user.
> Considering Elytron Web, this enhancement would make integration with other containers even more simple and avoid dealing with specific logout mechanisms (e.g.: notifications) provided by these same containers. This is specially true for servlet containers.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list