flushOnSessionInvalidation not working on Jboss 5
jmiguel77 Oct 21, 2010 5:43 PMHi all
I have a question / problem with a custom LoginModule; the scenario is like this:
My custom LoginModule extends from HttpServletRequestLoginModule; i am implementing all the relevant methods (login, abort, logout, commit, etc); i don't think the code in that loginModule is relevant, but if it is needed i can post it
the login-config.xml looks like this:
<application-policy name="SpyralSecurityPolicy">
<authentication>
<login-module code="com.carrasco.internet.security.JSFInternetLoginModule" flag="required">
<module-option name="wsUrl">http://someUrl</module-option>
</login-module>
</authentication>
</application-policy>
the jboss-web.xml looks like this:
<jboss-web>
<context-root>/spyralSecurity</context-root>
<security-domain flushOnSessionInvalidation="true">
java:/jaas/SpyralSecurityPolicy
</security-domain>
</jboss-web>
and the web.xml looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>SpyralSecurityApplication</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
in my application i have a logout action that does this:
HttpServletRequest request = (HttpServletRequest) FacesContext
.getCurrentInstance().getExternalContext().getRequest();
request.getSession().invalidate();
As far as i know, this should be sufficient to make a logout and clear the LoginCredentials cache, but in the security log i have found this:
2010-10-21 16:24:02,238 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] securityDomain=SpyralSecurityPolicy
2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated Principal=com.carrasco.internet.security.UsuarioInternet@10ccf09
2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Before flush of authentication cache::
2010-10-21 16:24:02,245 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SpyralSecurityPolicy, org.jboss.security.plugins.SecurityDomainContext@19c92e2 to map
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] After flush of authentication cache::
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin
as you see, before the flush of authentication cache there is one authenticated principal, and after the flush of the authentication cache, there is still 1 authenticated principal
am i doing something wrong or missing something ?? is this a bug in the jboss 5.1.0.GA server ??
please help, this is very urgent