3 Replies Latest reply on Sep 6, 2005 3:15 AM by hoth256

    Session Invalidate + isUserInRole Issue

    hoth256
    hoth256 Sep 5, 2005 2:29 AM

      Hello this is a duplicate posting of http://www.jboss.com/index.html?module=bb&op=viewtopic&t=67511 (my apologies for the duplicate - but I believe this forum is more apporpriate).


      Background
      I'm using j_security_check for form based auth. using a custom login module.

      Problem:
      Upon logging in using the custom login module, things work as expected - however, upon logging out by invalidating my session in a "logout" servlet where I use the request dispatcher to take me to the next page, I have things showing up on the page that shouldn't because they are enclosed in isUserInRole blocks.

      Upon clicking on the logout link again (which, by the way, is one of the things enclosed in a isUserInRole block), things work correctly.

      I'm fairly certain the page is not being cached. Does the problem have to do with the fact that something having to do with the Principal/Subject is cached in the HttpRequest object (grasping)?

      I've tried things like creating a new session after invalidating the original.

      Please help - I've spent way too much time on something as simple as loging a user out.

      Thanks in advance!

      • 4290 Views
      • Tags:
        • 1. Re: Session Invalidate + isUserInRole Issue
          hoth256
          hoth256 Sep 5, 2005 5:26 AM (in response to hoth256)

          New infomation:
          I was NOT able to reproduce the issue in [3.2.5 (build: CVSTag=JBoss_3_2_5 date=200406251954)]

          I am able to reproduce the issue in [4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)]

          Downloading 4.0.2 right now - wll post the results.

            • Actions
          • 2. Re: Session Invalidate + isUserInRole Issue
            starksm64
            starksm64 Sep 5, 2005 10:11 AM (in response to hoth256)

            A forwarded request does not go through the security stack so I don't expect that the request roles will have changed. A redirected reply will show the updated state as a new session will be required.

              • Actions
            • 3. Re: Session Invalidate + isUserInRole Issue
              hoth256
              hoth256 Sep 6, 2005 3:15 AM (in response to hoth256)

              Thanks Scott! I have to say you are really on top of things, I see your posts all over these forums.

              I am able to reproduce the intended behavior in 4.0.2 - the same as 4.0.1sp1.

              Is this behavior specified in the newer servlet spec? Just wondering why the results were different in JBoss 3.2.5?

              In any case upon using a response.redirect("/") as you suggest, the roles change.

              Thanks again!

                • Actions