[jboss-user] [Security & JAAS/JBoss] - Why AbstractServerLoginModule.logout is not removing added r

fcorneli do-not-reply at jboss.com
Thu Mar 22 06:00:38 EDT 2007


I just came across a situation in which the sessionContext.getCallerPrincipal() returns null because the principal was removed from the subject during logout, which is OK. The funny thing is that, because AbstractServerLoginModule is not removing any added roles, the RBAC still lets the 'null' caller principal call the method annotated with @RolesAllowed. Why is AbstractServerLoginModule not removing the added roles while removing the principal from the subject?


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4030523#4030523

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4030523

More information about the jboss-user mailing list