[jboss-user] [Security & JAAS/JBoss] - Re: Logout from a WebService application
KerryJordan
do-not-reply at jboss.com
Wed Jan 30 14:42:01 EST 2008
I have a similar problem. I am developing a Adobe Flex application that sends commands to a secure (via JAAS basic authentication) JBoss Java servlet. My version of JBoss is 4.2.2.GA. When a logout command is sent by the client application, I attempt to invalidate the session by calling the getSession() method on the HttpServletRequest object and then calling the invalidate() method on the returned session. However, this does not call the logout method of my custom login module (which extends the AbtractServerLoginModule), remove the principal from the JBoss JaasSecurityManager cache, nor apparently cause the authentication cache of Internet Explorer to clear. I'm not certain it even works at all. My jboss-web.xml in the application .ear contains the following:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <security-domain flushOnSessionInvalidation="true">java:/jaas/MyRealm</security-domain>
| </jboss-web>
|
which as I understand it, should cause the logout to occur on session invalidation.
I did add the following code to clear the JaasSecurityManager cache programatically (which calls my logout method), but that still leaves the cache on Internet Explorer intact (and I suspect that the session has not truly been invalidated)...
| String domain = "MyRealm";
| Principal user = req.getUserPrincipal(); // req is HttpServletRequest
| ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager" );
| Object[] params = { domain, user };
| String[] signature = { "java.lang.String", Principal.class.getName() };
| MBeanServer server = ( MBeanServer ) MBeanServerFactory.findMBeanServer( null ).get( 0 );
| server.invoke( jaasMgr, "flushAuthenticationCache", params, signature );
|
Any thoughts or suggestions? I could really use some expert advice...
Kerry
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4124913#4124913
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4124913
More information about the jboss-user
mailing list