"NigelWhite" wrote:
That doesn't work.
I have debug statements in my LoginModule's logout() method, and they are not being executed.
You're saying it should call login() and then immediately logout() on the first HTTP request??????????
That would be bizarre. I want to log out when then hit the logout link.
Anyway, it's not diong that - it's never getting into my LoginModule's logout() method.
The login() is being called fine, and I'm connecting to the backend server, caching the connection in the session, and the webapp then uses that.
When they hit the logout link though, it does a session.invalidate(), and no logout() is called, and the connection to the backend server stays open, and consumes a licence seat (It's HORRIBLE legacy stuff, and that's how they're clinging to viability - licencing!)
Now I could do the processing myself, but what if there were more login modules stacked up (as they may well be with JAAS authentication). It may be that more logout() methods in other modules may need to be called.
The container must have some way of doing this! We need access to the LoginContext used by the container at authentication time!
Well, thanks a bunch JBoss gurus! (Not you elponderador, the developers who should know this, and should have helped!)
After much searching, I randomly stumbled across the correct incantation:
in jboss-web.xml
<jboss-web> <!-- Specify the security domain for authentication/authorization and require that the domain's cache be flushed when the session invalidates. --> <security-domain flushOnSessionInvalidation="true"> java:/jaas/jbossweb-form-auth </security-domain> </jboss-web>