3 Replies Latest reply on Sep 11, 2005 12:04 PM by deepglance

    Users don't log out

    tremalnaik

      Hello folks, I'm using Jboss 4.0.2. I still have some problems with login modules. My login-config.xml follows:

      <application-policy name = "CpRealm">
       <authentication>
       <login-module code = "com.ciccio.pasticcio.CpLoginModule" flag = "required">
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">base64</module-option>
       </login-module>
       </authentication>
      </application-policy>
      


      The LogoutAction is invalidating the session in its
      execute()
      method:

      httpServletRequest.getSession().invalidate();


      I'm logging the
      login()
      and
      logout()
      methods of com.ciccio.pasticcio.CpLoginModule and the result is summarized in the following use case:

      1) I start Jboss
      1.1) I start Iexplorer and login as userA: login() is called
      1.2) logout as userA: execute() is called, logout() is NOT called
      1.1) I login again as userA: login() is NOT called
      1.2) I logout as userA: same as 1.2)
      1.3) restart Iexplorer, login as userA: login() is NOT called
      1.4) logout as userA, same as 1.2)
      1.5) I login as userB: login() is called
      1.6) logout as userB: same as 1.2)

      2) Restart Jboss, NOT Iexplorer
      1.1) login as userA: login() is called
      the rest is same as above

      I tried the following configuration:

      <application-policy name = "CpRealm">
       <authentication>
       <login-module code = "com.ciccio.pasticcio.CpLoginModule" flag = "required">
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">base64</module-option>
       </login-module>
       <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
       <module-option name="multi-threaded">true</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
       </authentication>
      </application-policy>
      


      nothing changed. Can anyone explain me where I'm doing wrong, please?

      thanks

        • 1. Re: Users don't log out
          tremalnaik

           

          <security-domain flushOnSessionInvalidation="true">java:/jaas/myRealm</security-domain>


          simple, isn't it? ;)

          • 2. Re: Users don't log out
            deepglance

            hi there,
            what about the other way around, logging out a user when his authentication info cache is flushed !
            i'm using the database login module. if we have an admin that changes the roles of the users and this change should take place immediately.
            example: to change the roles of user (x):
            1. update the new roles in the database
            2. flush the authentication cache
            3. logout the user (x) in order to apply the new roles immediately

            q1) how do u enforce the user x to logout ?
            q2) is this a good approach ?

            • 3. Re: Users don't log out
              deepglance

              Hellooooooo ?