2 Replies Latest reply on Oct 4, 2006 1:55 PM by sappenin

    How do I logout on a JSR 181 endpoint?

    sappenin Novice

      I have a JSR 181 EJB/Web Service endpoint that is secured using the BASIC auth method. Everything works fine, and when I try to access the wsdl in a browser (for example), I get a login popup, and I can authenticate just fine.

      However, I want to be able to "logout" and access the web-service as a different user, without closing the browser to reset the session.

      Is there a good way to do this? In a typical servlet, one can simply invalidate the session, but I don't see a way to do this from a web-service function inside of an EJB (e.g., logout() function).



        • 1. Re: How do I logout on a JSR 181 endpoint?
          sappenin Novice

          Ok, so I recognize that while using BASIC auth, the browser controls the login session, and nothing on the server side can logout a "BASIC" authenticated client.

          Just FYI, I'm calling a JBoss webservice from an Adobe FLEX Flash application running in the browser.

          So, I turned BASIC auth OFF on my webservices EJB endpoint, and am now using WSSE UsernameToken to authenticate the Flash client to my JSR 181 EJB endpoint.

          However, for whatever reason, if I make some WS calls as User A, then make some WS calls as User B (essentially, changing the WSSE username/password tokens), Jboss still thinks I'm user A.

          I did some digging on my JBoss server (DEBUG mode), and noticed that the WSSE client calls are happening via Http POST. Since my username is being "remembered" by the JBoss server, there must be some sort of session getting established? (This seems to be functioning a lot like FORM-based authentication). In a typical servlet, I could simply "logout" by invalidating the session. HOW does one do that with an EJB? I don't see anyway to get access to the Session....so I don't know how to invalidate it.

          Any ideas?



          • 2. Re: How do I logout on a JSR 181 endpoint?
            sappenin Novice


            I solved my problem. As it turns out, I had a bug in my code on the Flex side that was adding a WSSE header every time I logged out/logged in (but never removing the headers, and re-using the WebService object used to make calls to the JBossWS). So, while I did have the new credentials to login as, I still had the old credentials in the Webservice object, which were getting passed to JBoss.

            So, after correcting for this error on my part, I can now send multiple WS requests as different users without shutting down my browser, exiting the Flash client, or "invalidating" anything on the server side.

            Apparently, all JbossWS calls are stateless. (Ahem).