[jboss-user] [Security & JAAS/JBoss] - FORM based authenticated session not logged out properly via

[mp30130]

I?ve developed a portlet-based application on JBoss Portal Version 2.6 using container-managed authentication/security. 

For login to this application, I?m using the LdapExtLoginModule, and using FORM based authentication (using j_security_check).  This works properly. I successfully authenticate against my LDAP server.

The problem is when I logout. I perform a logout via a PortletSession.invalidate, however, I still can see the principal and roles attached to subsequent requests (via PortletRequest.getUserPrincipal(), and isUserInRole()). I can traverse to protected resources despite the fact that my session should have been invalidated; I am not forwarded to my configured login page. Reviewing the server.log, I am certain my session is being invalidated, and my LdapExtLoginModule.logout for my principal is being called.

For logout, besides invalidating the portlet session, I have also tried calling the JaasSecurityManager.flushAuthenticationCache to attempt to remove my principal from the cache. Additionally, I have set the flushOnSessionInvalidation to true in my jboss-web.xml file.

Are there some known issues in this area? This seems to be a basic/common operation that should work. Any help greatly appreciated!



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992675#3992675

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3992675