7 Replies Latest reply on Jan 5, 2007 8:26 AM by jflf83

LoginContext retrieving

tremalnaik Aug 5, 2005 10:12 AM

Hello to the forum, it's the first time I write here.
I'm developing a struts application which is deployed on jboss, using the jaas authentication.

Login works perfectly, using a custom module. But now I have to perform a logout, which is to be called in a different action class, so what's the better way to achieve this?

I mean, how can I access the LoginContext of the user and call its logout() method? I cannot even see the LoginContext, which is hide from the developer perspective, so I cannot put it in the session or similar.

Can you help me?

TREMALNAIK

1. Re: LoginContext retrieving

adrian.brock Aug 5, 2005 1:04 PM (in response to tremalnaik)

I added your question to the FAQ, although it is really a servlets FAQ.
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ
Actions
2. Re: LoginContext retrieving

tremalnaik Aug 6, 2005 7:52 AM (in response to tremalnaik)

Thanks for your answer, anyway the explanation you give in the FAQ is really short and doesn't tell why if I put a breakpoint into the login() method of my login moduleit shows that the login() is not called the second time. The following steps display my scenario:

1) First time I login the breakpoint stops execution, showing that myLoginModule.login() has been called

2) I logout, invalidating the session in my logout action

3) I login again at the login page, logon is successful, but the breakpoint doesn't stop execution

Can you please explain this fact to me, please?

TREMALNAIK
Actions
3. Re: LoginContext retrieving

tremalnaik Aug 7, 2005 9:56 AM (in response to tremalnaik)

I'm using jboss 4.0 beta, anyway. Yomorrow I'm going to test with the new stable 4.0.2, maybe it will behave differently.

Thanks for your help, anyway

TREMALNAIK
Actions
4. Re: LoginContext retrieving

hoth256 Sep 4, 2005 6:04 PM (in response to tremalnaik)

Hello all,

I think I might need to get a handle to the LoginContext to logout as well...

Background
I'm using j_security_check for form based auth. using a custom login module.

Problem:
Upon logging in using the custom login module, things work as expected - however, upon logging out by invalidating my session in a "logout" servlet where I use the request dispatcher to take me to the next page, I have things showing up on the page that shouldn't because they are enclosed in isUserInRole blocks.

Upon clicking on the logout link again (which, by the way, is one of the things enclosed in a isUserInRole block), things work correctly.

I'm fairly certain the page is not being cached. Does the problem have to do with the fact that something having to do with the Principal/Subject is cached in the HttpRequest object (grasping)?

I've tried things like creating a new session after invalidating the original.

Please help - I've spent way too much time on something as simple as loging a user out.

Thanks in advance!
Actions
5. Re: LoginContext retrieving

reostat Mar 29, 2006 5:18 AM (in response to tremalnaik)

Hello all,

Did someone solve the problem described above by hoth256?

I have almost the same configuration:
- form-based authentication;
- custom LoginModule (let's call it myLM);
- JSF-based main page with "Logout" button;
- logout() method in page supporting bean which calls HttpSession invalidate() method;
- flushOnSessionInvalidation attribute set to "true" for my security-domain in the jboss-web.xml;
- JBoss ver. 4.0.2.

The problem seems to be the same as described: when I press the "Logout" button for the first time I'm not redirected to the login form; it is performed only after the second button hit. While performing some investigations I've found the next inconsistencies:
1. After fresh start of JBoss I log in via login form and redirected to main form.
2. I press the "logout" button:
- two breakpoints are reached consequently: one in bean.logout() then second in myLM.logout();
- active page is not changed to login form but remains the main page.
3. I press the "logout" button again:
- active page is changed to login form but no breakpoints are hit.
4. I try to login. After pressing the "login" button breakpoints are hit and after that I am redirected to the main page.
From this state steps 3 and 4 repeat.

So the question is: why the main page is not changed to login page after the first "logout" click? And what are those stu?k logout actions?...

Thanks in advance for any comments!
Actions
6. Re: LoginContext retrieving

hoth256 Mar 29, 2006 1:07 PM (in response to tremalnaik)
reostat -

If I recall correctly, this may have something to do with how your code moves you to the next page (I believe "login form") upon clicking the "Logout" button. I'm not 100% sure I had agreed with who ever sent me a response, but I moved on...

Again, if I recall correctly, a suggestion had been made to not use the request dispatcher to move you to the next page, but instead use the response object:

response.sendRedirect("/");

Where response is of type HttpServletResponse and "/" is where you want to go.

The rationale of the suggester, if memory servers, was that the session is still somewhat valid in the context of using the request object after a call to session.invalidate().

good luck

hoth256
Actions
7. Re: LoginContext retrieving

jflf83 Jan 5, 2007 8:26 AM (in response to tremalnaik)

the FAQ help me to solve the same problem.
ThanX
Actions

Go to original post