-
1. Re: logout when having used j_security_check
tonic48 May 11, 2004 10:14 AM (in response to mwallner)if you are using JSP , try
<% session.invalidate(); %> -
2. Re: logout when having used j_security_check
anbenham May 13, 2004 2:55 AM (in response to mwallner)Hi,
session .invalidate() is not sufficient under JBoss.
I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.
Are there any other methods? -
3. Re: logout when having used j_security_check
mwallner May 13, 2004 2:58 AM (in response to mwallner)anbenham, could you please post the source code of your method?
Thanks,
- markus -
4. Re: logout when having used j_security_check
formenti May 13, 2004 3:24 AM (in response to mwallner)I like to see this code too! :)
Gio -
5. Re: logout when having used j_security_check
rolfarne May 13, 2004 12:03 PM (in response to mwallner)"anbenham" wrote:
Hi,
session .invalidate() is not sufficient under JBoss.
I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.
Are there any other methods?
It is true that you will not get an immediate JAAS logout when calling session.invalidate(), but the user will have to authenticate again, using the login page, in order to be authorized to access protected URL's. So for instance, after session.invalidate(), the user may safely leave the browser window open without risking other using their privileges. -
6. Re: logout when having used j_security_check
anbenham May 14, 2004 9:58 AM (in response to mwallner)Hi here is the code.
public void logout() throws Exception { if (getSubject() == null) throw new Exception(); Set principals = getSubject().getPrincipals(); if (principals.size() > 0) { Iterator i = principals.iterator(); NestableGroup roles = null; NestableGroup callerPrincipal = null; MyPrincipal user = null; while (i.hasNext()) { Object group = i.next(); if (group instanceof MyPrincipal) user = (MyPrincipal) group; if (group instanceof NestableGroup) { NestableGroup nGroup = (NestableGroup) group; if (nGroup.getName() == "Roles") roles = nGroup; if (nGroup.getName() == "Callerprincipal") callerPrincipal = nGroup; } } principals.remove(user); principals.remove(roles); principals.remove(callerPrincipal); flushAuthCache(user); } } private void flushAuthCache(MyPrincipal user) throws Exception { try { String domain = getDomain(user); if ((user!= null) && (domain != null)) { InitialContext ctx = new InitialContext(); RMIAdaptor jbossServer = (RMIAdaptor) ctx.lookup("jmx/invoker/RMIAdaptor"); ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager"); Object[] params = { domaene, benutzer }; String[] signature = { "java.lang.String", "java.security.Principal" }; jbossServer.invoke(jaasMgr, "flushAuthenticationCache", params, signature); } } catch (Exception e) { throw new Exception(); } }
Is this code OK?
Is it dangereous to empty the Subject? -
7. Re: logout when having used j_security_check
tosenthu May 26, 2004 3:36 AM (in response to mwallner)Hai
Is this a correct way to do, cos i do have the same probs, and if its valid to do this can u please tell me where to keep this code, means in which class, and how this method will be called. and also tell me the confiuration details that i have to make this code to work.
Thanks in advance.
Senthil Kumar M Rangaswamy -
8. Re: logout when having used j_security_check
anbenham May 28, 2004 10:21 AM (in response to mwallner)Hi,
I would like to know too if this is the right way to do that.#
I call that method just after the session.is invalidated ( I use a session listner).
Is it OK like that?
Do I have to empty the subject?
Is it garateed that the user is logged out in the ejb-container AND the web-container?