Logging Out of a Security Domain
muchomagic Apr 24, 2013 2:12 PMWe've configured our web applications to use a database authentication module within a security domain in JBoss AS 7. We also configured SSO within the virtual server and for all the applications in their jboss-web.xml. It all works great, except logging out. I've read many places that invaliding the HTTP session is sufficient to log a user out, but that doesn't work.
Some of the configuration:
<security-domain name="abc-security-domain" cache-type="infinispan">
<authentication>
<login-module code="custom.package.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:/jdbc/myds"/>
<module-option name="principalsQuery" value="exec h_Get_UserAccount_Password ?"/>
<module-option name="rolesQuery" value="exec h_Get_UserRoles ?, 0"/>
<module-option name="clearLoginAttemptsQuery" value="exec h_Reset_UserAccount_LoginAttempts ?"/>
</login-module>
</authentication>
</security-domain>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<sso reauthenticate="false"/>
</virtual-server>
Application jboss-web.xml:
<jboss-web>
<security-domain flushOnSessionInvalidation="true">abc-security-domain</security-domain>
<context-root>/</context-root>
<valve>
<class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
</valve>
</jboss-web>
Application web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>abc-security-domain</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
The logout code:
public class LogoutServlet extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", new java.util.Date().toString());
request.getSession().invalidate();
request.logout();
response.sendRedirect("/");
}
}
That does not work at all. After hitting that logout servlet, a user can continue to use the application just like they had before, with all of the roles they had before. They are not reprompted for username/password.
After doing some research, it seems like I may need to log them out out of their LoginContext. Since I don't manually create the LoginContext, I can't find any way to retrieve it. I tried creating a stateful EJB and injecting the LoginContext into it, but the variable is always null. If I inject the SessionContext into the EJB, it injects fine, but I can't find a way to get the LoginContext from the SessionContext.
@Stateful
public class EJB3Bean implements EJB3 {
@Resource
private LoginContext lc;
@Resource
private SessionContext sc;
public void run() {
System.out.println(lc == null); //always true
System.out.println(sc == null); //always false
}
}
If anyone can help me figure out how to log a person out of a security domain, that would be very helpful. Thanks.