1 2 Previous Next 17 Replies Latest reply on Dec 20, 2005 3:27 PM by Dan Simon

    Logout ??

    Thomas Völklein Newbie

      Hi !

      I want to create a button, to logout from my application. Like the button in the Userportlet.

      Session.invalidate() is not working, as already discussed in this forum.

      But nowhere was written down how to solve this problem.

      Any suggestions ?

      In the Userportlet there's a method userLogout(). Has anybody the code ?



        • 1. Re: Logout ??
          Woodler Expert

          your portlet needs to extend JBossPortlet , which will give you the JBossActionResponse as an argument in the processAction method. This response has the

           public void signOut()

          method, which encapsulates all the logout functionality.

          • 2. Re: Logout ??
            Thomas Völklein Newbie

            I want to put the logout button at the very top of the website so i have to put it in the layout.jsp.
            As there is no portlet i only have some scriptlet code within the jsp, to do a logout.

            any suggestions ?



            • 3. Re: Logout ??
              Viet Master

              you need to do that in an processAction() of a portlet.

              • 4. Re: Logout ??
                Woodler Expert

                you can write a portlet for that and place it into the header region. turn off decoration for that portlet if you want (examples for that are in the theme test page in the default portal (in 2.2)), so that you see only the button, and none of the title or edit/view/help links , etc.

                In that case, every page that wants to use this feature needs to define your logout portlet as one of the portlets on the page, and it needs to assign it to a region that your layout actually renders.

                • 5. Re: Logout ??
                  Dan Simon Newbie

                  I've got the signOut() method being called, and it is effectively disabling the JAAS login/session that we are using (logging the user out).

                  The problem that I'm seeing, however, is that it is not destroying the session on the server. Which means that if the user does not close their browser and logs back in with a different id, the session is brought back and contains information form the previous login.

                  This is a HUGE problem. Microsoft was blasted for a similar problem in IIS by the security community a while back.

                  Is there a good way to completely clear out/destroy all sessions associated with a given user during the logout process (I have been lead to understand that each portlet is given its own "session" as it exists as an independent web application)?

                  • 6. Re: Logout ??
                    Viet Master

                    can you provide a test case ?

                    • 7. Re: Logout ??
                      Dan Simon Newbie

                      Unfortunately, the codebase that we're working with right now is rather large (and we're under a huge crunch to push the product to testing).

                      Try the following:

                      1. Create a Portlet using Apache's MyFaces/JSF.

                      2. Define a managed bean with session scope in your faces-config.xml:

                      3. Inside of that managed bean, create an instance variable that is instantiated and populated with information out of your login (say, your username -- FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName())

                      Make sure that this variable is only instantiated once for the session. Something like the following:
                      package com.myco.MyBean;

                      public class MyBean {

                      private String myName;

                      public String getMyName() {
                      if (myName == null) {
                      myName = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
                      return myName;


                      4. Login as user 1. Go to a JSF page which has the following in it:
                      <h:outputText value="#{myBean.myName}" />

                      5. Logout of your session.

                      6. Without restarting your browser (so that the same sessionid is communicated to the server), login as a different user. Go to the same JSF page as step 4....you should see the information from the first login.

                      • 8. Re: Logout ??
                        Viet Master

                        what is your jboss portal version ?

                        • 9. Re: Logout ??
                          Dan Simon Newbie

                          We're running JBoss AS 4.03SP1 and running JBoss Portal 2.01RC3

                          • 10. Re: Logout ??
                            Dan Simon Newbie

                            I should probably mention as well: we're running JBoss AS with EJB3 support enabled.

                            • 11. Re: Logout ??
                              Viet Master

                              You are right, the feature is developed but there is one interceptor missing in the portlet stack which is the session tracker interceptor.

                              what you should do is :

                              1/ edit jboss-portal.sar/conf/standardjboss-portlet.xml
                              2/ in the portlet configuration add the interceptor :


                              you can add it just after the ValveInterceptor.

                              • 12. Re: Logout ??
                                Dan Simon Newbie

                                Umm...what version of Portal are you running?

                                I don't show any ValveInterceptor in my copy of standardjboss-portlet.xml, and receive the following during startup if I insert the interceptor you defined:

                                No ClassLoaders found for: org.jboss.portal.server.aspects.component.ContextTrackerInterceptor

                                Is there a new JAR or other library file that I need to pull down and add into the server lib directory?

                                • 13. Re: Logout ??
                                  Viet Master

                                  actually the valve interceptor only exist in 2.2

                                  • 14. Re: Logout ??
                                    Dan Simon Newbie

                                    Is there any way to make the logout work properly under 2.0? We've built our project around that and I'd rather get things stabilized under 2.0 before we consider migrating to 2.2 (though I'm sure that will happen in the not-too-distant future).

                                    1 2 Previous Next