2 Replies Latest reply on Nov 18, 2007 6:25 PM by shane.bryzak

Identity retains roles after Identity.logout()?

hawkettc Nov 16, 2007 10:22 PM

Hi,

Seem to be having an issue where identity retains roles after calling Identity.logout().

I'm using web services as well, so this may have something to do with it. Here is the log output -

11:49:06,056 INFO [AuthenticatorHelper] logging in a, b via WS
11:49:06,075 INFO [Authenticator] authenticating a, b
11:49:09,031 INFO [Authenticator] Logged in?:true, Has admin role?:true
11:49:09,038 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true
11:49:10,794 INFO [Authenticator] logging out
11:49:12,433 INFO [Authenticator] Logged in?:false, Has admin role?:true
11:49:12,436 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true

for this code

@Stateless
@WebService
@Name("authenticator")
public class Authenticator implements AuthenticatorLocal, AuthenticatorRemote {
 @Logger Log log;

 @In Identity identity;

 /*
 * This method is registered as the login callback in components.xml -
 * Call to identity.login() in AuthenticatorHelper below results in this method being called.
 */
 public boolean authenticate() {
 log.info("authenticating #0, #1", identity.getUsername(), identity.getPassword());

 identity.addRole("admin");
 return true;
 }

 @WebMethod
 public boolean logout() {
 log.info("logging out");
 if(identity.isLoggedIn()) identity.logout();
 return !identity.isLoggedIn();
 }

 @WebMethod
 public boolean loginWS(String username, String password) {
 AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
 return helper.loginWS(username, password);
 }

 @WebMethod
 //@Restrict("#{s:hasRole('admin')}")
 public boolean checkMeWS() {
 log.info("Logged in?:#0, Has admin role?:#1", identity.isLoggedIn(), identity.hasRole("admin"));
 AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
 return helper.checkMeWS();
 }
}

========================================

@Name("authenticatorHelper")
public class AuthenticatorHelper {
 @Logger Log log;
 @In Identity identity;

 @Restrict("#{s:hasRole('admin')}")
 public boolean checkMeWS() {
 log.info("Checking via restricted webServices, in appropriate role: " + Identity.instance().hasRole("admin"));
 return identity.isLoggedIn();
 }

 public boolean loginWS(String username, String password) {
 log.info("logging in #0, #1 via WS", username, password);
 identity.setUsername(username);
 identity.setPassword(password);
 identity.login();
 return identity.isLoggedIn();
 }
}

There are three separate web service calls there, but I'm struggling to see how the third one could still show the admin role. The documentation for Identity.logout() is a bit sparse - so I'm taking a guess as to what it actually does, but I would expect it to invalidate the session, and lose any role information. Any ideas?

1. Re: Identity retains roles after Identity.logout()?

hawkettc Nov 16, 2007 10:47 PM (in response to hawkettc)

That should say 4 web service calls -

>>>>> Call 1: loginWS
11:49:06,056 INFO [AuthenticatorHelper] logging in a, b via WS
11:49:06,075 INFO [Authenticator] authenticating a, b

>>>>> Call 2: checkMeWS
11:49:09,031 INFO [Authenticator] Logged in?:true, Has admin role?:true
11:49:09,038 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true

>>>>> Call 3: logout
11:49:10,794 INFO [Authenticator] logging out

>>>>> Call 4: checkMeWS
11:49:12,433 INFO [Authenticator] Logged in?:false, Has admin role?:true
11:49:12,436 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true

2. Re: Identity retains roles after Identity.logout()?

shane.bryzak Nov 18, 2007 6:25 PM (in response to hawkettc)

This should be fixed in CVS.
Actions

Go to original post