[jboss-user] [Security & JAAS/JBoss] - FORM based authenticated session not logged out properly via
mp30130
do-not-reply at jboss.com
Sun Dec 10 23:50:31 EST 2006
I?ve developed a portlet-based application on JBoss Portal Version 2.6 using container-managed authentication/security.
For login to this application, I?m using the LdapExtLoginModule, and using FORM based authentication (using j_security_check). This works properly. I successfully authenticate against my LDAP server.
The problem is when I logout. I perform a logout via a PortletSession.invalidate, however, I still can see the principal and roles attached to subsequent requests (via PortletRequest.getUserPrincipal(), and isUserInRole()). I can traverse to protected resources despite the fact that my session should have been invalidated; I am not forwarded to my configured login page. Reviewing the server.log, I am certain my session is being invalidated, and my LdapExtLoginModule.logout for my principal is being called.
For logout, besides invalidating the portlet session, I have also tried calling the JaasSecurityManager.flushAuthenticationCache to attempt to remove my principal from the cache. Additionally, I have set the flushOnSessionInvalidation to true in my jboss-web.xml file.
Are there some known issues in this area? This seems to be a basic/common operation that should work. Any help greatly appreciated!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992675#3992675
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3992675
More information about the jboss-user
mailing list