2 Replies Latest reply on Oct 24, 2006 11:55 PM by jaikiran

Closing Browser seems to bypass DatabaseServerLoginModule

pander Oct 23, 2006 5:47 PM

Hi,

I'm using JBOSS AS 4.0.4 GA and am experiencing an odd problem connected with login and logout of users. If user's explicitly choose to logout and click on the logout button of my webapp the webapp directs them to an Action class which marks the event in a database and then calls session.invalidate(). This seems to be working perfectly and I have no issues when this is the logout method.

However, if the user simply closes the browser I am getting a strange series of events happening. If they open a new browser window (having say just closed one and been logged in) the browser and JBOSS/Tomcat correctly sends them to the login page to enter their login details as the new browser window has a completely different session associated with it, and I have verified this 100% by printing out the session Id's. If the user then attempts to login again using the same username and password with which they were previously logged in, JBOSS/Tomcat seems to completely ignore my DatabaseLogin module, which extends DatabaseServerLoginModule, and so various session beans that I am populating via reads from the database in this module are not being created and I am being left with a NullPointerException when the code gets further down the request cycle and is attempting to access the beans. I do not understand this at all.... under what circumstances can JBOSS/Tomcat completely ignore the DatabaseServerLoginModule ?? Surely if the server had decided that actually the user with these credentials was still logged in then it would have done that when they went to the inital landing page and would have directed them to the user's homepage and not to the login page.... it just doesn't make sense. Am I missing something critical here?? Please help !

Kind Regards,
Paul.

1. Re: Closing Browser seems to bypass DatabaseServerLoginModul

pander Oct 24, 2006 4:01 PM (in response to pander)

So out of all you java/jboss guru's on here nobody has any pointers?
Actions
2. Re: Closing Browser seems to bypass DatabaseServerLoginModul

jaikiran Oct 24, 2006 11:55 PM (in response to pander)

Paul,

First of all let me tell you i am not a java/jboss guru.

If they open a new browser window (having say just closed one and been logged in) the browser and JBOSS/Tomcat correctly sends them to the login page to enter their login details

Which means that it is working as expected. Since this is a new session, the user will be directed to the login page before accessing the secure resource.

If the user then attempts to login again using the same username and password with which they were previously logged in, JBOSS/Tomcat seems to completely ignore my DatabaseLogin module, which extends DatabaseServerLoginModule

How did you verify this? Please try to obtain the TRACE level logs from the jboss security package as mentioned in Q4 at:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

and so various session beans that I am populating via reads from the database in this module are not being created and I am being left with a NullPointerException when the code gets further down the request cycle and is attempting to access the beans.

Please post the exception stacktrace that you are seeing. I believe that the NullpointerException might not be related to security issues. You will usually see SecurityException in such cases.

Surely if the server had decided that actually the user with these credentials was still logged in then it would have done that when they went to the inital landing page and would have directed them to the user's homepage and not to the login page.... it just doesn't make sense.

Opening a new browser is a totally new session and it does not matter if the user is still logged in from some other browser. This new browser will need authentication of the user again and so he/she will be redirected to the login page.
Actions

Go to original post