8 Replies Latest reply on Jul 31, 2008 11:29 AM by geosinho

    Logout from a WebService application

    baeurlem

      Hi,

      We have a Flex Client which communicates via WebServices. I wrote a custom LoginModule which performs the authentication. This works well without problems.

      But how to logout the user? The LoginModule has a logout() method but how should this be called? Do we need a WebService with a logout() method which delegates to the LoginModule? How to access the LoginModule in this case?

      The good thing with the LoginModule is, that it is transparent to the WebServices and Business-Logic but if we need an explicit logout() method this transparency is removed.

      Is there a preferred design for this?

      All examples I found are based on a standard Web-Application with Servlets which does not apply in this case.

      Regards,
      Markus

        • 1. Re: Logout from a WebService application
          ragavgomatam

          If HttpSession times out or if you call

          session.invalidate()
          only then is it logged out. Else if you do a jaas login & have the LoginContext handle, you could do a
          LoginContext.logout()


          • 2. Re: Logout from a WebService application
            baeurlem

            Thanks for your reply.

            I have no access to the HttpSession. This is transparent for the WebServices.

            I think I have to write a @WebMethod logout() in my WebService which then calls the LoginContext.logout().

            How to access the LoginContext in a WebService? Is there a way to do this in a general way (this is much preferred :)), or do I have to use JBoss specific functionality (e.g. JBoss classes, annotations, ...)?

            Regards,
            Markus

            • 3. Re: Logout from a WebService application
              ragavgomatam

              No you cannot call

              LoginContext.logout()
              from the way you described. When you do a jaas login with a java client, you have a Callback Handler, LoginContext etc...Then you can call a
              LoginContext.logout()
              ...In your case, annotate a method on the Servlet as
              @WebMethod logout()
              and call
              HttpSession .invalidate()
              in that method...That will invalidate the Principal in the Session Cache & will logout....

              • 4. Re: Logout from a WebService application
                kerryjordan

                I have a similar problem. I am developing a Adobe Flex application that sends commands to a secure (via JAAS basic authentication) JBoss Java servlet. My version of JBoss is 4.2.2.GA. When a logout command is sent by the client application, I attempt to invalidate the session by calling the getSession() method on the HttpServletRequest object and then calling the invalidate() method on the returned session. However, this does not call the logout method of my custom login module (which extends the AbtractServerLoginModule), remove the principal from the JBoss JaasSecurityManager cache, nor apparently cause the authentication cache of Internet Explorer to clear. I'm not certain it even works at all. My jboss-web.xml in the application .ear contains the following:

                <?xml version="1.0" encoding="UTF-8"?>
                <jboss-web>
                 <security-domain flushOnSessionInvalidation="true">java:/jaas/MyRealm</security-domain>
                </jboss-web>
                


                which as I understand it, should cause the logout to occur on session invalidation.

                I did add the following code to clear the JaasSecurityManager cache programatically (which calls my logout method), but that still leaves the cache on Internet Explorer intact (and I suspect that the session has not truly been invalidated)...

                String domain = "MyRealm";
                Principal user = req.getUserPrincipal(); // req is HttpServletRequest
                ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager" );
                Object[] params = { domain, user };
                String[] signature = { "java.lang.String", Principal.class.getName() };
                MBeanServer server = ( MBeanServer ) MBeanServerFactory.findMBeanServer( null ).get( 0 );
                server.invoke( jaasMgr, "flushAuthenticationCache", params, signature );
                


                Any thoughts or suggestions? I could really use some expert advice...

                Kerry

                • 5. Re: Logout from a WebService application
                  ragavgomatam

                  Calling logout() on your LoginModule is only possible if you do a JAAS login with a handle to your CallbackHandler and LoginContext. In the case of web applications the container does this Jaas Login eventhough you have your LoginModule. The container has the instance of the Callback Handler & passes that as arguments to your initialize()method. So calling logout() method on your CustomLoginModule is ruled out when do a web based login...There is no way you can do it from your browser....

                  Next question is :- Are you certain that the Principal is not cleared from our session... Check it as follows after session time out:-

                  Principal p = request.getPrincipal()
                  If the Principal is null then it works else we have an issue......I tried it with jboss 5 Beta 3 & it works...You are redirected to the Login Page again & asked to authenticate

                  • 6. Re: Logout from a WebService application
                    baeurlem

                    Thanks again for all the replies

                    But:

                    I have no Servlet, I only have a @Stateless @WebService:


                    @Stateless
                    @WebService(name = "UserService", targetNamespace = Constants.NAMESPACE)
                    public class UserManagementEndpointImpl implements UserManagementEndpoint
                    {
                     ...
                     @WebMethod
                     public void logout() {
                     // what do do here?
                     }
                     ...
                    }
                    
                    public interface UserManagementEndpoint
                    {
                     public void logout();
                    }
                    
                    



                    How can I access the HttpSession or the HttpServletRequest?

                    Is there a way to access this through JNDI? Is there a way to access the LoginContext through JNDI? I looked in the jmx-console but I did not find anything.

                    Regards,
                    Markus



                    • 7. Re: Logout from a WebService application
                      ragavgomatam

                      I don't think you can log out using web service...Again I am not sure of this...

                      • 8. Re: Logout from a WebService application
                        geosinho

                        hello,
                        I'm looiking for informations about application with flex, JAAS and EJB3. The author of this subject succeeded in setting up an application of this kind. Can somebody help me??

                        Cordially

                        Antoine