8 Replies Latest reply on Apr 27, 2010 3:48 AM by seekeryan

Auth Cache is not flushed after logout

seekeryan Feb 9, 2010 12:03 PM

Hi, can anyone kindly help me?

Currently we tried to migrate our project from JBOSS 4.2 to 5.1, however the Authentication Cache is failed to be flushed after the logout method

is called which worked fine on JBOSS 4.2.Our project leverages the JAAS to do the Authentication and authorization.

Here is the code and config file.

1. LoginModule

We wrote a CustomLoginModule and CustomPrincipal by implementing LoginModule and Principal interfaces accordingly.

Enable the custom LoginModule in login-config.xml file

<policy>
    <application-policy name="AppUsers">
        <authentication>
            <login-module code="test.security.MyLoginModule" flag="required"/>
        </authentication>
    </application-policy>
</policy>

2.Create a Servlet which logins and calls an ejb bean method.

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        if (request.getParameter("logout") != null) {
            try {

                // Logout
                WebAuthentication webAuthentication = new WebAuthentication();
                webAuthentication.logout();
            } catch (Exception e) {
                e.printStackTrace(out);
            }
        } else if (request.getParameter("login") != null) {
            request.getSession(true);
            InitialContext context = null;
            try {

                // login method of our custom LoginModule is called.
                WebAuthentication webAuthentication = new WebAuthentication();
                if (webAuthentication.login(username, password)) {
                    System.out.println("web authentication");
                }
                context = new InitialContext();
                context.getEnvironment();
                A a = (A) context.lookup("ejb/A");

                // call ejb method
                a.helloWorld();
                a.withoutRoels();
                doGet(request, response);
            } catch (Exception e) {
                e.printStackTrace(out);
            }
        }

     }

3. Create a jboss-web.xml file with the content below

<jboss-web>

<security-domain flushOnSessionInvalidation="true">java:/jaas/AppUsers</security-domain>
</jboss-web>

4. Add annotation @SecurityDomain("java:/jaas/AppUsers") to ejb bean.

5. The web content is not secured itself, we have a login.jsp which has two buttons: login and logout, when one of the button is clicked, the servlet above is invoked.

On JBOSS 4.2, after we click on the logout, the Auth data is removed from the cache, as we can see that from the jmx-console. But now, on JBOSS 5.1, the auth data is always there. Am I doing anything wrong? Can anyone help me out, this problem has bothered me for quite a long time. I tried many ways but no success.

Thanks in advance!!!

1. Re: Auth Cache is not flushed after logout

jidehem Feb 19, 2010 9:11 AM (in response to seekeryan)

Hi,

Try invalidating the session. (As explained in CachingLoginCredentials in section "Flushing the Cache on Web Session Invalidation", the cache is flushed on session invalidation. Thus you must invalidate the session)

In your code, this would mean add:
request.getSession().invalidate();
after
webAuthentication.logout();
Actions
2. Re: Auth Cache is not flushed after logout

seekeryan Feb 22, 2010 5:10 AM (in response to jidehem)

Hi, thanks for your reply, i tried that before, but it throws exception "session already in invalid state", as after the webAuthentication.logout() is called, the session is invalid and request.getSession().invalidate() will fail.
Actions
3. Re: Auth Cache is not flushed after logout

jidehem Feb 22, 2010 12:51 PM (in response to seekeryan)

Are you sure you tried it in the same order I wrote ?

I'm using the same piece of code and it works perfectly.

Maybe you session is invalidated twice ?
Actions
4. Re: Auth Cache is not flushed after logout

seekeryan Mar 1, 2010 11:04 AM (in response to jidehem)

sorry for the late response, just came back from vacation.
Did you test on jboss 5.1? I know it works fine on jboss 4.2, but not on 5.1.
Thanks
Actions
5. Re: Auth Cache is not flushed after logout

jidehem Mar 1, 2010 5:35 PM (in response to seekeryan)

Yes, I tested on JBoss 5.1.
The biggest difference with my code seems that it's called from a scriptlet inside a JSP page, instead of from a servlet (but does it really matters ?)
Actions
6. Re: Auth Cache is not flushed after logout

seekeryan Mar 3, 2010 9:35 AM (in response to jidehem)

Hi, I did exactly as what you said. however when i checked the auth cache in jmx-console, it was still there , even after i set
<security-domain flushOnSessionInvalidation="true"> in jboss-web.xml. Have you any idea why?
thx
Actions
7. Re: Auth Cache is not flushed after logout

xmedeko Apr 26, 2010 11:42 AM (in response to seekeryan)

Hi,

for me, the auth cache is flushed after I call session.invalidate(), however, the auth cache is not flushed when I hot redeploy my WAR and the session is destroyed by this redeploy. I.e. 1. login as user X, 2. change user X password in DB, 3. redeploy the WAR (EAR), 4. try to login as user X. The login pass but should fail.

I have found out this UNRESOLVED issue https://jira.jboss.org/jira/browse/JBAS-7730
Actions
8. Re: Auth Cache is not flushed after logout

seekeryan Apr 27, 2010 3:48 AM (in response to xmedeko)

Hi,
thank you for your reply, now I have given up and moved back to JBoss 4.2.2 where the Auth Cache works fine.
Actions

Go to original post