9 Replies Latest reply on Sep 24, 2013 4:28 AM by schum-hacker

Logout Jaas

schum-hacker Sep 20, 2013 9:33 AM

Hello,

I try to logout but it doesn't work.

I read that session.invalidate(); calls the logout() on jaas.

Please i need help

thanks

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

<security-domain>java:/jaas/m</security-domain>

<context-root>/MWeb</context-root>

</jboss-web>

killSession.jsp

<%
session.invalidate();
%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>M logout</title>
    </head>
    <body>
        <h1>Logout</h1>
        You are diconnected of M application.
    </body>
</html>

1. Re: Logout Jaas

schum-hacker Sep 23, 2013 3:56 AM (in response to schum-hacker)

help
Actions
2. Re: Logout Jaas

ybxiang.china Sep 23, 2013 4:28 AM (in response to schum-hacker)

package com.ybxiang.forum.servlet;

import java.io.IOException;
import java.security.Principal;
import java.util.logging.Logger;

import javax.ejb.EJB;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.ybxiang.forum.ejb.session.core.ICacheService;

/**
* http://www.technicaladvices.com/2012/07/08/the-effective-java-logout-servlet-code/
*
* The servlet must be put into <security-constraint> <web-resource-collection> in web.xml, if not, request.getUserPrincipal() will be null!
*
* 参见：com.ybxiang.forum.jsfmbean.JSFHelper.printFacesExternalContext()
*/
@WebServlet("/logoutServlet")
public class LogoutServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;
    static final Logger logger = Logger.getLogger(LogoutServlet.class.getName());

    @EJB
    ICacheService cacheService;

    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {

        //********************** refresh online status **********************//
        try {
            Principal p = request.getUserPrincipal();
            if(p!=null){
                cacheService.markUserAsOffline(p.getName());
            }
        } catch (Exception e) {
            logger.info(e.getMessage());
        }

        //********************** log out(clean something) **********************//
        response.setHeader("Cache-Control", "no-cache, no-store");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Expires", new java.util.Date().toString());//http://www.coderanch.com/t/541412/Servlets/java/Logout-servlet-button
        //response.setHeader("Expires", "0")//http://www.coderanch.com/t/541412/Servlets/java/Logout-servlet-button
        response.setHeader("Connection", "close");//http://javaarm.com/faces/display.xhtml?tid=2416&page=1#post_18198
        //
        if(request.getSession(false)!=null){
            request.getSession(false).invalidate();//remove session.
        }
        if(request.getSession()!=null){
            request.getSession().invalidate();//remove session.
        }

        request.logout();//JAAS log out (from servlet specification)! It is a MUST!


        //********************** redirect **********************//
        /**
         * Here, if we redirect response to a secured page (example:request.getContextPath()+"/faces/console/console.xhtml"),
         * then
         * (a)<auth-method>BASIC</auth-method> will redirect secured page to login page and login automatically with username and password that are cached in web browser.
         * (b)<auth-method>FORM</auth-method> will redirect secured page to login page too, but will NOT login automatically with username and password that are cached in web browser.
         *
         * Here, if we redirect response to a non-secured page, then the non-secured page is displayed (normal case).
         */
        response.sendRedirect(request.getContextPath());
    }


}
Actions
3. Re: Logout Jaas

ybxiang.china Sep 23, 2013 4:29 AM (in response to schum-hacker)
Actions
4. Re: Logout Jaas

schum-hacker Sep 23, 2013 10:00 AM (in response to ybxiang.china)

hi,
thanks for your help but it doesn't change nothing.

I put this in the servlet in the processRequest, I call the servlet , and i am redirected on my homePage but always logued

//********************** log out(clean something) **********************//
        response.setHeader("Cache-Control", "no-cache, no-store");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Expires", new java.util.Date().toString());//http://www.coderanch.com/t/541412/Servlets/java/Logout-servlet-button
        //response.setHeader("Expires", "0")//http://www.coderanch.com/t/541412/Servlets/java/Logout-servlet-button
        response.setHeader("Connection", "close");//http://javaarm.com/faces/display.xhtml?tid=2416&page=1#post_18198
        //
        if(request.getSession(false)!=null){
            request.getSession(false).invalidate();//remove session.
        }
        if(request.getSession()!=null){
            request.getSession().invalidate();//remove session.
        }

        request.logout();//JAAS log out (from servlet specification)! It is a MUST!



                //********************** redirect **********************//
        /**
         * Here, if we redirect response to a secured page (example:request.getContextPath()+"/faces/console/console.xhtml"),
         * then
         * (a)<auth-method>BASIC</auth-method> will redirect secured page to login page and login automatically with username and password that are cached in web browser.
         * (b)<auth-method>FORM</auth-method> will redirect secured page to login page too, but will NOT login automatically with username and password that are cached in web browser.
         *
         * Here, if we redirect response to a non-secured page, then the non-secured page is displayed (normal case).
         */
        response.sendRedirect(request.getContextPath());
Actions
5. Re: Logout Jaas

schum-hacker Sep 23, 2013 9:59 AM (in response to schum-hacker)

for have the connect window (basic), i must close my chrome explorer and open it

i try this
<security-domain flushOnSessionInvalidation="true">java:/jaas/m</security-domain>
i try to delete cookies...
Actions
6. Re: Logout Jaas

schum-hacker Sep 23, 2013 10:53 AM (in response to schum-hacker)

thanks it's ok in production, it s just a pb on my localhost ^^
Actions
7. Re: Logout Jaas

ybxiang.china Sep 23, 2013 9:00 PM (in response to schum-hacker)

thanks it's ok in production, it s just a pb on my localhost ^^
~~~~~~~~~It is OK in both development and production environment.

What is your jboss as version?
There is bug about ip binding with jboss as 7.1.3, I use JBoss AS 7.2.0.

IE:
    If you log out and redirect to the page that only logged-in user can access, then IE will log in again automatically!!!
    So, please make sure your home page can be accessed by public guest.

Firefox:
    Has no such problem.
Actions
8. Re: Logout Jaas

ybxiang.china Sep 23, 2013 9:01 PM (in response to schum-hacker)

Congratulations anyway!
Actions
9. Re: Logout Jaas

schum-hacker Sep 24, 2013 4:28 AM (in response to ybxiang.china)

thanks for all !!!!!!!
Actions

Go to original post