8 Replies Latest reply on May 28, 2004 10:21 AM by anbenham

    logout when having used j_security_check

    mwallner
    mwallner May 11, 2004 10:03 AM

      Hi!

      I log my user in with the help of j_security_check, form-based. Works fine. But how can I then log out the user again?

      I use JBoss v. 3.2.3.

      Thanks,
      - Markus

      • 12529 Views
      • Tags:
        • 1. Re: logout when having used j_security_check
          tonic48
          tonic48 May 11, 2004 10:14 AM (in response to mwallner)

          if you are using JSP , try

          <% session.invalidate(); %>

            • Actions
          • 2. Re: logout when having used j_security_check
            anbenham
            anbenham May 13, 2004 2:55 AM (in response to mwallner)

            Hi,

            session .invalidate() is not sufficient under JBoss.

            I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.

            Are there any other methods?

              • Actions
            • 3. Re: logout when having used j_security_check
              mwallner
              mwallner May 13, 2004 2:58 AM (in response to mwallner)

              anbenham, could you please post the source code of your method?

              Thanks,
              - markus

                • Actions
              • 4. Re: logout when having used j_security_check
                formenti May 13, 2004 3:24 AM (in response to mwallner)

                I like to see this code too! :)

                Gio

                  • Actions
                • 5. Re: logout when having used j_security_check
                  rolfarne
                  rolfarne May 13, 2004 12:03 PM (in response to mwallner)

                   

                  "anbenham" wrote:
                  Hi,

                  session .invalidate() is not sufficient under JBoss.

                  I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.

                  Are there any other methods?


                  It is true that you will not get an immediate JAAS logout when calling session.invalidate(), but the user will have to authenticate again, using the login page, in order to be authorized to access protected URL's. So for instance, after session.invalidate(), the user may safely leave the browser window open without risking other using their privileges.


                    • Actions
                  • 6. Re: logout when having used j_security_check
                    anbenham
                    anbenham May 14, 2004 9:58 AM (in response to mwallner)

                    Hi here is the code.

                    public void logout() throws Exception {
 if (getSubject() == null)
 throw new Exception();
 Set principals = getSubject().getPrincipals();
 if (principals.size() > 0) {
 Iterator i = principals.iterator();
 NestableGroup roles = null;
 NestableGroup callerPrincipal = null;
 MyPrincipal user = null;
 while (i.hasNext()) {
 Object group = i.next();
 if (group instanceof MyPrincipal)
 user = (MyPrincipal) group;
 if (group instanceof NestableGroup) {
 NestableGroup nGroup = (NestableGroup) group;
 if (nGroup.getName() == "Roles")
 roles = nGroup;
 if (nGroup.getName() == "Callerprincipal")
 callerPrincipal = nGroup;
 }
 }
 principals.remove(user);
 principals.remove(roles);
 principals.remove(callerPrincipal);
 flushAuthCache(user);
 }
 }


private void flushAuthCache(MyPrincipal user) throws Exception {
 try {
 String domain = getDomain(user);
 if ((user!= null) && (domain != null)) {

 InitialContext ctx = new InitialContext();
 RMIAdaptor jbossServer = (RMIAdaptor) ctx.lookup("jmx/invoker/RMIAdaptor");
 ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
 Object[] params = { domaene, benutzer };
 String[] signature = { "java.lang.String", "java.security.Principal" };
 jbossServer.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
 }
 } catch (Exception e) {
 throw new Exception();
 }

 }


                    Is this code OK?
                    Is it dangereous to empty the Subject?

                      • Actions
                    • 7. Re: logout when having used j_security_check
                      tosenthu May 26, 2004 3:36 AM (in response to mwallner)

                      Hai
                      Is this a correct way to do, cos i do have the same probs, and if its valid to do this can u please tell me where to keep this code, means in which class, and how this method will be called. and also tell me the confiuration details that i have to make this code to work.

                      Thanks in advance.
                      Senthil Kumar M Rangaswamy

                        • Actions
                      • 8. Re: logout when having used j_security_check
                        anbenham
                        anbenham May 28, 2004 10:21 AM (in response to mwallner)

                        Hi,

                        I would like to know too if this is the right way to do that.#
                        I call that method just after the session.is invalidated ( I use a session listner).

                        Is it OK like that?

                        Do I have to empty the subject?

                        Is it garateed that the user is logged out in the ejb-container AND the web-container?

                          • Actions