-
1. Re: Logout from a WebService application
ragavgomatam Jan 29, 2008 9:26 PM (in response to baeurlem)If HttpSession times out or if you call
session.invalidate()
only then is it logged out. Else if you do a jaas login & have the LoginContext handle, you could do aLoginContext.logout()
-
2. Re: Logout from a WebService application
baeurlem Jan 30, 2008 6:36 AM (in response to baeurlem)Thanks for your reply.
I have no access to the HttpSession. This is transparent for the WebServices.
I think I have to write a @WebMethod logout() in my WebService which then calls the LoginContext.logout().
How to access the LoginContext in a WebService? Is there a way to do this in a general way (this is much preferred :)), or do I have to use JBoss specific functionality (e.g. JBoss classes, annotations, ...)?
Regards,
Markus -
3. Re: Logout from a WebService application
ragavgomatam Jan 30, 2008 12:00 PM (in response to baeurlem)No you cannot call
LoginContext.logout()
from the way you described. When you do a jaas login with a java client, you have a Callback Handler, LoginContext etc...Then you can call aLoginContext.logout()
...In your case, annotate a method on the Servlet as@WebMethod logout()
and callHttpSession .invalidate()
in that method...That will invalidate the Principal in the Session Cache & will logout.... -
4. Re: Logout from a WebService application
kerryjordan Jan 30, 2008 2:41 PM (in response to baeurlem)I have a similar problem. I am developing a Adobe Flex application that sends commands to a secure (via JAAS basic authentication) JBoss Java servlet. My version of JBoss is 4.2.2.GA. When a logout command is sent by the client application, I attempt to invalidate the session by calling the getSession() method on the HttpServletRequest object and then calling the invalidate() method on the returned session. However, this does not call the logout method of my custom login module (which extends the AbtractServerLoginModule), remove the principal from the JBoss JaasSecurityManager cache, nor apparently cause the authentication cache of Internet Explorer to clear. I'm not certain it even works at all. My jboss-web.xml in the application .ear contains the following:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain flushOnSessionInvalidation="true">java:/jaas/MyRealm</security-domain> </jboss-web>
which as I understand it, should cause the logout to occur on session invalidation.
I did add the following code to clear the JaasSecurityManager cache programatically (which calls my logout method), but that still leaves the cache on Internet Explorer intact (and I suspect that the session has not truly been invalidated)...String domain = "MyRealm"; Principal user = req.getUserPrincipal(); // req is HttpServletRequest ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager" ); Object[] params = { domain, user }; String[] signature = { "java.lang.String", Principal.class.getName() }; MBeanServer server = ( MBeanServer ) MBeanServerFactory.findMBeanServer( null ).get( 0 ); server.invoke( jaasMgr, "flushAuthenticationCache", params, signature );
Any thoughts or suggestions? I could really use some expert advice...
Kerry -
5. Re: Logout from a WebService application
ragavgomatam Jan 30, 2008 9:32 PM (in response to baeurlem)Calling logout() on your LoginModule is only possible if you do a JAAS login with a handle to your CallbackHandler and LoginContext. In the case of web applications the container does this Jaas Login eventhough you have your LoginModule. The container has the instance of the Callback Handler & passes that as arguments to your initialize()method. So calling logout() method on your CustomLoginModule is ruled out when do a web based login...There is no way you can do it from your browser....
Next question is :- Are you certain that the Principal is not cleared from our session... Check it as follows after session time out:-Principal p = request.getPrincipal()
If the Principal is null then it works else we have an issue......I tried it with jboss 5 Beta 3 & it works...You are redirected to the Login Page again & asked to authenticate -
6. Re: Logout from a WebService application
baeurlem Jan 31, 2008 5:22 AM (in response to baeurlem)Thanks again for all the replies
But:
I have no Servlet, I only have a @Stateless @WebService:@Stateless @WebService(name = "UserService", targetNamespace = Constants.NAMESPACE) public class UserManagementEndpointImpl implements UserManagementEndpoint { ... @WebMethod public void logout() { // what do do here? } ... } public interface UserManagementEndpoint { public void logout(); }
How can I access the HttpSession or the HttpServletRequest?
Is there a way to access this through JNDI? Is there a way to access the LoginContext through JNDI? I looked in the jmx-console but I did not find anything.
Regards,
Markus -
7. Re: Logout from a WebService application
ragavgomatam Feb 1, 2008 4:54 PM (in response to baeurlem)I don't think you can log out using web service...Again I am not sure of this...
-
8. Re: Logout from a WebService application
geosinho Jul 31, 2008 11:29 AM (in response to baeurlem)hello,
I'm looiking for informations about application with flex, JAAS and EJB3. The author of this subject succeeded in setting up an application of this kind. Can somebody help me??
Cordially
Antoine