2 Replies Latest reply on Nov 18, 2007 6:25 PM by Shane Bryzak

    Identity retains roles after Identity.logout()?

    Colin Hawkett Newbie

      Hi,

      Seem to be having an issue where identity retains roles after calling Identity.logout().

      I'm using web services as well, so this may have something to do with it. Here is the log output -

      11:49:06,056 INFO [AuthenticatorHelper] logging in a, b via WS
      11:49:06,075 INFO [Authenticator] authenticating a, b
      11:49:09,031 INFO [Authenticator] Logged in?:true, Has admin role?:true
      11:49:09,038 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true
      11:49:10,794 INFO [Authenticator] logging out
      11:49:12,433 INFO [Authenticator] Logged in?:false, Has admin role?:true
      11:49:12,436 INFO [AuthenticatorHelper] Checking via restricted webServices, in appropriate role: true
      


      for this code

      @Stateless
      @WebService
      @Name("authenticator")
      public class Authenticator implements AuthenticatorLocal, AuthenticatorRemote {
       @Logger Log log;
      
       @In Identity identity;
      
       /*
       * This method is registered as the login callback in components.xml -
       * Call to identity.login() in AuthenticatorHelper below results in this method being called.
       */
       public boolean authenticate() {
       log.info("authenticating #0, #1", identity.getUsername(), identity.getPassword());
      
       identity.addRole("admin");
       return true;
       }
      
       @WebMethod
       public boolean logout() {
       log.info("logging out");
       if(identity.isLoggedIn()) identity.logout();
       return !identity.isLoggedIn();
       }
      
       @WebMethod
       public boolean loginWS(String username, String password) {
       AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
       return helper.loginWS(username, password);
       }
      
       @WebMethod
       //@Restrict("#{s:hasRole('admin')}")
       public boolean checkMeWS() {
       log.info("Logged in?:#0, Has admin role?:#1", identity.isLoggedIn(), identity.hasRole("admin"));
       AuthenticatorHelper helper = (AuthenticatorHelper) Component.getInstance(AuthenticatorHelper.class, true);
       return helper.checkMeWS();
       }
      }
      
      ========================================
      
      @Name("authenticatorHelper")
      public class AuthenticatorHelper {
       @Logger Log log;
       @In Identity identity;
      
       @Restrict("#{s:hasRole('admin')}")
       public boolean checkMeWS() {
       log.info("Checking via restricted webServices, in appropriate role: " + Identity.instance().hasRole("admin"));
       return identity.isLoggedIn();
       }
      
       public boolean loginWS(String username, String password) {
       log.info("logging in #0, #1 via WS", username, password);
       identity.setUsername(username);
       identity.setPassword(password);
       identity.login();
       return identity.isLoggedIn();
       }
      }
      


      There are three separate web service calls there, but I'm struggling to see how the third one could still show the admin role. The documentation for Identity.logout() is a bit sparse - so I'm taking a guess as to what it actually does, but I would expect it to invalidate the session, and lose any role information. Any ideas?