[jboss-user] [JBoss Seam] - Identity retains roles after Identity.logout()?

hawkettc do-not-reply at jboss.com
Fri Nov 16 22:22:23 EST 2007


Hi,

   Seem to be having an issue where identity retains roles after calling Identity.logout().

I'm using web services as well, so this may have something to do with it.  Here is the log output -


  | 11:49:06,056 INFO  [AuthenticatorHelper] logging in a, b via WS
  | 11:49:06,075 INFO  [Authenticator] authenticating a, b
  | 11:49:09,031 INFO  [Authenticator] Logged in?:true, Has admin role?:true
  | 11:49:09,038 INFO  [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true
  | 11:49:10,794 INFO  [Authenticator] logging out
  | 11:49:12,433 INFO  [Authenticator] Logged in?:false, Has admin role?:true
  | 11:49:12,436 INFO  [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true
  | 

for this code


  | @Stateless
  | @WebService
  | @Name("authenticator")
  | public class Authenticator implements AuthenticatorLocal, AuthenticatorRemote {
  |     @Logger Log log;
  |     
  |     @In Identity identity;
  |    
  |     /*
  |      * This method is registered as the login callback in components.xml -
  |      * Call to identity.login() in AuthenticatorHelper below results in this method being called.
  |      */
  |     public boolean authenticate() {
  |     	log.info("authenticating #0, #1", identity.getUsername(), identity.getPassword());
  | 
  |         identity.addRole("admin");
  |         return true;
  |     }
  | 
  |     @WebMethod
  |     public boolean logout() {
  |     	log.info("logging out");
  |         if(identity.isLoggedIn()) identity.logout();
  |         return !identity.isLoggedIn();
  |     }
  |     
  |     @WebMethod
  |     public boolean loginWS(String username, String password) {
  |     	AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
  |     	return helper.loginWS(username, password);
  |     }
  |     
  |     @WebMethod
  |     //@Restrict("#{s:hasRole('admin')}")
  |     public boolean checkMeWS() {
  |     	log.info("Logged in?:#0, Has admin role?:#1", identity.isLoggedIn(), identity.hasRole("admin"));
  |     	AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
  |     	return helper.checkMeWS();
  |     }
  | }
  | 
  | ========================================
  | 
  | @Name("authenticatorHelper")
  | public class AuthenticatorHelper {
  |     @Logger Log log;
  |     @In Identity identity;
  | 	
  |     @Restrict("#{s:hasRole('admin')}")
  |     public boolean checkMeWS() {
  |     	log.info("Checking via restricted webServices, in appropriate role: " + Identity.instance().hasRole("admin"));
  |     	return identity.isLoggedIn();
  |     }
  |     
  |     public boolean loginWS(String username, String password) {
  |     	log.info("logging in #0, #1 via WS", username, password);
  |     	identity.setUsername(username);
  |     	identity.setPassword(password);
  |     	identity.login();
  |     	return identity.isLoggedIn();
  |     }
  | }
  | 

There are three separate web service calls there, but I'm struggling to see how the third one could still show the admin role.  The documentation for Identity.logout() is a bit sparse - so I'm taking a guess as to what it actually does, but I would expect it to invalidate the session, and lose any role information.  Any ideas?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4105714#4105714

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4105714



More information about the jboss-user mailing list