8 Replies Latest reply on Apr 27, 2010 3:48 AM by Harry Yan

    Auth Cache is not flushed after logout

    Harry Yan Newbie

      Hi, can anyone kindly help me?

      Currently we tried to migrate our project from JBOSS 4.2 to 5.1, however the Authentication Cache is failed to be flushed after the logout method

      is called which worked fine on JBOSS 4.2.Our project leverages the JAAS to do the Authentication and authorization.

      Here is the code and config file.

      1. LoginModule

      We wrote a CustomLoginModule and CustomPrincipal by implementing LoginModule and Principal interfaces accordingly.

      Enable the custom LoginModule in login-config.xml file

          <application-policy name="AppUsers">
                  <login-module code="test.security.MyLoginModule" flag="required"/>

      2.Create a Servlet which logins and calls an ejb bean method.

      protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

              if (request.getParameter("logout") != null) {
                  try {

                      // Logout
                      WebAuthentication webAuthentication = new WebAuthentication();
                  } catch (Exception e) {
              } else if (request.getParameter("login") != null) {
                  InitialContext context = null;
                  try {

                      // login method of our custom LoginModule is called.
                      WebAuthentication webAuthentication = new WebAuthentication();
                      if (webAuthentication.login(username, password)) {
                          System.out.println("web authentication");
                      context = new InitialContext();
                      A a = (A) context.lookup("ejb/A");

                      // call ejb method
                      doGet(request, response);
                  } catch (Exception e) {


      3. Create a jboss-web.xml file with the content below

         <!-- Indicate that the cached auth should be flushed when session expires-->
         <security-domain  flushOnSessionInvalidation="true">java:/jaas/AppUsers</security-domain>

      4. Add annotation @SecurityDomain("java:/jaas/AppUsers") to ejb bean.

      5. The web content is not secured itself, we have a login.jsp which has two buttons: login and logout, when one of the button is clicked, the servlet above is invoked.


      On JBOSS 4.2, after we click on the logout, the Auth data is removed from the cache, as we can see that from the jmx-console. But now, on JBOSS 5.1, the auth data is always there. Am I doing anything wrong? Can anyone help me out, this problem has bothered me for quite a long time. I tried many ways but no success.


      Thanks in advance!!!