3 Replies Latest reply on Nov 30, 2007 4:40 PM by jdsignature

    FORM based authenticated session not logged out properly via

    mp30130

      I?ve developed a portlet-based application on JBoss Portal Version 2.6 using container-managed authentication/security.

      For login to this application, I?m using the LdapExtLoginModule, and using FORM based authentication (using j_security_check). This works properly. I successfully authenticate against my LDAP server.

      The problem is when I logout. I perform a logout via a PortletSession.invalidate, however, I still can see the principal and roles attached to subsequent requests (via PortletRequest.getUserPrincipal(), and isUserInRole()). I can traverse to protected resources despite the fact that my session should have been invalidated; I am not forwarded to my configured login page. Reviewing the server.log, I am certain my session is being invalidated, and my LdapExtLoginModule.logout for my principal is being called.

      For logout, besides invalidating the portlet session, I have also tried calling the JaasSecurityManager.flushAuthenticationCache to attempt to remove my principal from the cache. Additionally, I have set the flushOnSessionInvalidation to true in my jboss-web.xml file.

      Are there some known issues in this area? This seems to be a basic/common operation that should work. Any help greatly appreciated!

        • 1. Re: FORM based authenticated session not logged out properly
          mp30130

          Ok; I have simplified my test and removed my portal from the equation; I am simply using JSPs and the LdapExtLoginModule, and BASIC authentication. I still observe the same issue ? where I am granted access to resources when I would expect to have to re-login after invalidating my session.

          I have a secure directory which has a resource constraint on it. In the secure directory, I have a invalidate.jsp file. When this jsp file is visited, I invalidate the session. I would then expect I would not be able to visit any other pages under my secure directory; rather, I would expect that I would be prompted to login again if I visit another page under my secure directory. It appears that even though I have set flushOnSessionInvalidation=true in my jboss-web.xml configuration, it appears that caching is still going on and the LdapExtLoginModule.login is being called w/o having me needing to reenter the password through the BASIC authentication dialog box.

          Here is the output from my simplified test program. The session invalidation occurs at
          2006-12-11 23:22:47,446 and the auto re-login occurs at 2006-12-11 23:23:28,886. How do I disable this caching and force a re-login?


          2006-12-11 23:22:44,304 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/secure/invalidate.jsp --> false
          2006-12-11 23:22:44,304 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/secure/invalidate.jsp --> true
          2006-12-11 23:22:44,305 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/secure/invalidate.jsp --> false
          2006-12-11 23:22:44,305 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/secure/invalidate.jsp --> true
          2006-12-11 23:22:44,305 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2006-12-11 23:22:44,305 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2006-12-11 23:22:44,305 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-12-11 23:22:44,305 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=testuser
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] Begin isValid, principal:testuser, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@bcecc7[Subject(7838822).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778]
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@bcecc7[Subject(7838822).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778];credential.class=java.lang.String@21479899
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] End validateCache, isValid=true
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] End isValid, true
          2006-12-11 23:22:44,306 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: testuser is authenticated
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , sc=org.jboss.security.SecurityAssociation$SubjectContext@d34b8c{principal=testuser,subject=325274}
          
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@bcecc7[Subject(7838822).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778]
          2006-12-11 23:22:44,306 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: testuserto: testuser
          2006-12-11 23:22:44,306 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@d34b8c{principal=testuser,subject=325274}
          2006-12-11 23:22:44,307 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] getUserRoles, subject: Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[testuser(trader,)]
          2006-12-11 23:22:44,307 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'testuser' with type 'BASIC'
          2006-12-11 23:22:44,307 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[testuser(trader,)]
          2006-12-11 23:22:44,307 DEBUG [org.apache.catalina.realm.RealmBase] Username testuser has role trader
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: trader
          2006-12-11 23:22:44,307 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[testuser(trader,)]
          2006-12-11 23:22:44,307 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
          2006-12-11 23:22:44,307 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , sc=org.jboss.security.SecurityAssociation$SubjectContext@1da1845{principal=testuser,subject=325274}
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-11 23:22:44,307 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-11 23:22:46,648 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897366647 sessioncount 0
          2006-12-11 23:22:46,648 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 1 expired sessions: 0
          2006-12-11 23:22:46,648 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897366648 sessioncount 0
          2006-12-11 23:22:46,648 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-12-11 23:22:47,435 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Session Created with id=1C3E4585A5D9B5916FB1C2B2DDC911C9
          2006-12-11 23:22:47,446 INFO [STDOUT] Invalidating session...
          2006-12-11 23:22:47,446 INFO [STDOUT] ***** request = org.apache.catalina.connector.RequestFacade@1024864
          2006-12-11 23:22:47,447 DEBUG [org.apache.catalina.realm.RealmBase] Username testuser has role trader
          2006-12-11 23:22:47,447 INFO [STDOUT] Invalidating the session: org.apache.catalina.session.StandardSessionFacade@deb65f
          2006-12-11 23:22:47,447 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Session Destroy with id=1C3E4585A5D9B5916FB1C2B2DDC911C9
          2006-12-11 23:22:47,450 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@1da1845{principal=testuser,subject=325274}
          2006-12-11 23:22:47,450 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Jacc Subject = Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          
          2006-12-11 23:22:47,450 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] securityDomain=mydomain
          2006-12-11 23:22:47,450 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated Principal=testuser2006-12-11 23:22:47,450 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Before flush of authentication cache::
          2006-12-11 23:22:47,451 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
          2006-12-11 23:22:47,451 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=testuser
          2006-12-11 23:22:47,451 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@bcecc7[Subject(7838822).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778], activeUsers=0
          2006-12-11 23:22:47,451 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@bcecc7[Subject(7838822).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778]
          2006-12-11 23:22:47,451 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] logout
          2006-12-11 23:22:47,451 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] After flush of authentication cache::
          2006-12-11 23:22:47,451 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=0
          2006-12-11 23:22:47,452 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-11 23:22:47,452 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-11 23:22:47,453 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
          2006-12-11 23:22:47,453 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[testuser(trader,)]
          2006-12-11 23:22:47,453 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
          2006-12-11 23:22:56,650 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897376650 sessioncount 0
          2006-12-11 23:22:56,650 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-12-11 23:23:16,653 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897396653 sessioncount 0
          2006-12-11 23:23:16,653 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-12-11 23:23:16,653 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897396653 sessioncount 0
          2006-12-11 23:23:16,653 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /testsec/pages/
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/ --> false
          2006-12-11 23:23:20,538 DEBUG [org.apache.catalina.realm.RealmBase] No applicable constraint located
          2006-12-11 23:23:20,539 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint
          2006-12-11 23:23:20,539 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
          2006-12-11 23:23:20,539 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
          2006-12-11 23:23:20,539 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:20,539 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:20,541 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:20,541 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:20,541 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
          2006-12-11 23:23:20,541 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callernull
          2006-12-11 23:23:20,541 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /testsec/pages/secure/
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/secure/ --> false
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/secure/ --> true
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SecretProtection]' against GET /pages/secure/ --> false
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure pages]' against GET /pages/secure/ --> true
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2006-12-11 23:23:28,885 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-12-11 23:23:28,885 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=testuser
          2006-12-11 23:23:28,886 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] Begin isValid, principal:testuser, cache info: null
          2006-12-11 23:23:28,886 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] defaultLogin, principal=testuser
          2006-12-11 23:23:28,886 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(mydomain), authInfo=AppConfigurationEntry[]:
          [0]
          LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
          ControlFlag: LoginModuleControlFlag: required
          Options:name=roleFilter, value=(memberUid={0})
          name=baseFilter, value=(uid={0})
          name=bindCredential, value=somePortal
          name=bindDN, value=cn=SomePortal,dc=somebrokerage,dc=com
          name=roleRecursion, value=-1
          name=java.naming.provider.url, value=ldap://ldapserver:389
          name=roleAttributeID, value=cn
          name=baseCtxDN, value=dc=somebrokerage,dc=com
          name=rolesCtxDN, value=ou=Group,dc=somebrokerage,dc=com
          
          2006-12-11 23:23:28,886 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize, instance=@8443349
          2006-12-11 23:23:28,886 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login
          2006-12-11 23:23:28,906 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Assign user to role trader
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] User 'testuser' authenticated, loginOk=true
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] commit, loginOk=true
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] defaultLogin, lc=javax.security.auth.login.LoginContext@56c88c, subject=Subject(25727428).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader))
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] updateCache, inputSubject=Subject(25727428).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)), cacheSubject=Subject(18477885).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader))
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b041f3[Subject(18477885).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778]
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] End isValid, true
          2006-12-11 23:23:28,907 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: testuser is authenticated
          2006-12-11 23:23:28,907 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , sc=org.jboss.security.SecurityAssociation$SubjectContext@1b9e1e7{principal=testuser,subject=10368983}
          2006-12-11 23:23:28,908 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b041f3[Subject(18477885).principals=org.jboss.security.SimplePrincipal@32394345(testuser)org.jboss.security.SimpleGroup@27381857(Roles(members:trader)),credential.class=java.lang.String@21479899,expirationTime=1165899151778]
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: testuserto: testuser
          2006-12-11 23:23:28,908 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@1b9e1e7{principal=testuser,subject=10368983}
          2006-12-11 23:23:28,908 TRACE [org.jboss.security.plugins.JaasSecurityManager.mydomain] getUserRoles, subject: Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[testuser(trader,)]
          2006-12-11 23:23:28,908 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'testuser' with type 'BASIC'
          2006-12-11 23:23:28,908 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[testuser(trader,)]
          2006-12-11 23:23:28,908 DEBUG [org.apache.catalina.realm.RealmBase] Username testuser has role trader
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: trader
          2006-12-11 23:23:28,908 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[testuser(trader,)]
          2006-12-11 23:23:28,908 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
          2006-12-11 23:23:28,908 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
          2006-12-11 23:23:28,909 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
           Principal: testuser
           Principal: Roles(members:trader)
          , sc=org.jboss.security.SecurityAssociation$SubjectContext@1642565{principal=testuser,subject=10368983}
          2006-12-11 23:23:28,909 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:28,909 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:28,910 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:28,910 TRACE [org.jboss.web.tomcat.security.RunAsListener] default, runAs: null
          2006-12-11 23:23:28,910 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
          2006-12-11 23:23:28,910 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[testuser(trader,)]
          2006-12-11 23:23:28,910 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
          2006-12-11 23:23:36,657 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897416657 sessioncount 0
          2006-12-11 23:23:36,657 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-12-11 23:23:36,657 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1165897416657 sessioncount 0
          2006-12-11 23:23:36,657 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0



          • 2. Re: FORM based authenticated session not logged out properly
            starksm64

            BASIC auth sends credentials regardless of the session state. There is no way to force the browser to redisplay its basic login.

            • 3. Re: FORM based authenticated session not logged out properly
              jdsignature

              what about the form based authentication