0 Replies Latest reply on Mar 18, 2010 9:26 AM by Marcelo Cacace

    How to logout & make users re-login

    Marcelo Cacace Newbie

      Hi,

       

        I'm trying to logout and force  users go to  in my custom auth-form avoiding access to my webApp.

         I have GWT Project, JBoss 5.1.0 with JAAS ,  jdk1.6.0_17, GWT on clients , IE 7  & FF 3.6

        My LoginContext.logout() doesn't throw any  exception.

        I tried to fix this cleanning credentials and  principals,

        setting callbackhandler's name/password to null from  my subject,

        setting DefaultCacheTimeout to zero but I didn't fix this.

        I only could destroy cookie jsessionid in IE 7, but I doesn't work on FF 3.6, so it's not a polite way.

        I can see someone trying to fix it in http://community.jboss.org/thread/147897

       

      public class LoginFilter implements Filter {
          static private String LOG_TOPIC = LoginFilter.class.getName();
          static private Logger LOGGER = Logger.getLogger(LOG_TOPIC);
          static private final String DEFAULT_SUBJECT_KEY = "subject";
          private String appName_;
          private String subjectKey_;
         
          @Override
          public void init(FilterConfig config) throws ServletException {
              appName_ = config.getInitParameter("app-name");
              subjectKey_ = config.getInitParameter("subject-key");
              if (subjectKey_ == null) {
                  subjectKey_ = DEFAULT_SUBJECT_KEY;
              }
          }
         
          @Override
          public void doFilter(ServletRequest request,ServletResponse response, FilterChain chain) throws IOException, ServletException {
              HttpServletRequest httpRequest = (HttpServletRequest) request;
              String remoteUser = httpRequest.getRemoteUser();
             
              if (httpRequest.getSession().getAttribute("lc")==null && remoteUser != null) { 
                  if (LOGGER.isLoggable(Level.FINE)) {
                      Subject subj = (Subject) httpRequest.getSession().getAttribute(subjectKey_);
                      LOGGER.logp(Level.FINE, LOG_TOPIC, "doFilter()", "Subject found under key {0}:\n{1}",
                                  new Object[] {subjectKey_, subj });
                  }
                  System.out.println("entro al login!");
                  BundleCallbackHandler cb = new BundleCallbackHandler(remoteUser, getPassword(remoteUser));
                  try {
                      LoginContext ctx = new LoginContext(appName_, cb);
                      ctx.login();
                      Subject subj = ctx.getSubject();
                      httpRequest.getSession().setAttribute("lc", ctx);
                      httpRequest.getSession().setAttribute("cb", cb);
                      httpRequest.getSession().setAttribute(subjectKey_, subj);
                     
                           
                      response.setContentType("text/plain");
                      HttpServletResponse httpResponse = (HttpServletResponse) response;
                      httpResponse.setHeader("Location", "/VCarCli/VCarCli.html");
                      httpResponse.setStatus(httpResponse.SC_MOVED_TEMPORARILY);
                      LOGGER.info("Authenticated Subject " + subj    + ". Under session key " + subjectKey_);
                  } catch (LoginException e) {
                      LOGGER.logp(Level.WARNING, LOG_TOPIC, "doFilter()",
                                  "LoginException thrown when validating user {0}. Exception:\n{1}",
                                  new Object[] { remoteUser, e });
                  }
              }
              chain.doFilter(request, response);
          }
         
          private String getPassword(String userId) {

              ... get Password ...
          }
         
          @Override
          public void destroy() {
          }
         
      }

       

      public class LogoutServiceImpl extends RemoteServiceServlet implements LogoutService {
          private static final long serialVersionUID = 4980477256995261802L;
          private LoginContext ctx = null;
          private BundleCallbackHandler cb = null;
          private Subject subject = null;
         
          @Override
          public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
              HttpServletRequest httpRequest = (HttpServletRequest) req;
              subject = (Subject)httpRequest.getSession().getAttribute("subject");
              cb = (BundleCallbackHandler)httpRequest.getSession().getAttribute("cb");
              ctx = (LoginContext)httpRequest.getSession().getAttribute("lc");
              super.service(req, res);
          }

       

          @Override
          protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
              resp.sendRedirect("/VCarCli/login.html");
              super.doGet(req, resp);
          }
         
          public String logout() {
              try {
                  flashear();
                  ctx.logout();
                  logoutt();
              } catch (LoginException e) {
                  e.printStackTrace();
                  return e.getMessage();
              }
              return "";
          }
         
          private void flashear() {
             
              String domain = "vcarcli-policy";
             
              try {
               ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
             
              // Flush all cached entries in the given domain using the JaasSecurityManagerService
              // mbean registered under "jboss.security:service=JaasSecurityManager"
               Object[] params = {domain};
               String[] signature = {"java.lang.String"};
               MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
               server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
              } catch (MalformedObjectNameException e1) {
                  e1.printStackTrace();
              } catch (InstanceNotFoundException e2) {
                  e2.printStackTrace();
              } catch (MBeanException e3) {
                  e3.printStackTrace();
              } catch (ReflectionException e4) {
                  e4.printStackTrace();
              }       
          }
         
          public boolean logoutt() {
              System.out.println("logoutt");
              if (!subject.isReadOnly()) {
                  cb.setName(null);
                  cb.setPassword(null);
                  Set<Principal> principals = subject.getPrincipals();
                  subject.getPrincipals().removeAll(principals);
                  principals.clear();
                  Set<Object> creds = subject.getPublicCredentials();
                  subject.getPublicCredentials().removeAll(creds);
                  creds.clear();
                  cb = null;
                  principals= null;
                  creds =null;
                  subject=null;
                  return true;
                } else {
                  return false;
              }
          }
         
      }

       

      web.xml

       

      <?xml version="1.0" encoding="UTF-8" ?>

       

      <web-app version="2.5">
         
          <display-name>VCarCli</display-name>

       

          <welcome-file-list>
            <welcome-file>VCarCli.html</welcome-file>
          </welcome-file-list>

       

          <filter>
              <filter-name>login-filter</filter-name>
              <filter-class>com.gasban.server.LoginFilter</filter-class>
              <init-param>
                  <param-name>app-name</param-name>
                  <param-value>vcarcli-policy</param-value>
              </init-param>
              <init-param>
                  <param-name>subject-key</param-name>
                  <param-value>subject</param-value>
              </init-param>
          </filter>
         
          <filter-mapping>
                  <filter-name>login-filter</filter-name>
                  <url-pattern>/*</url-pattern>
          </filter-mapping>

       

          <servlet>
              <servlet-name>LoginFilter</servlet-name>
              <servlet-class>com.gasban.server.LoginFilter</servlet-class>
          </servlet>

       

          <servlet-mapping>
              <servlet-name>LoginFilter</servlet-name>
              <url-pattern>/loginfilter</url-pattern>
          </servlet-mapping>
                 
          <servlet>
              <servlet-name>LogoutService</servlet-name>
              <servlet-class>com.gasban.server.LogoutServiceImpl</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>

       

          <servlet-mapping>
              <servlet-name>LogoutService</servlet-name>
              <url-pattern>/logoutservice</url-pattern>
          </servlet-mapping>
         
          <session-config>
            <session-timeout>0</session-timeout>
          </session-config>
         
          <security-constraint>
           <web-resource-collection>
             <web-resource-name>VCarCli site</web-resource-name>
                  <description>Un ejemplo de configuración de seguridad que solamente permite a los usuarios con rol
                           JBossAdmin acceder a VCarcli
                     </description>
                     <url-pattern>/*</url-pattern>
                     <http-method>GET</http-method>
                     <http-method>POST</http-method>
           </web-resource-collection>
           <auth-constraint>
             <role-name>JBossAdmin</role-name>
           </auth-constraint>
         </security-constraint>

       

         <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
              <form-login-page>/login.html</form-login-page>
               <form-error-page>/login_failed.html</form-error-page>
            </form-login-config>
            <realm-name>vcarcli-policy</realm-name>
         </login-config>

       

         <security-role>
            <role-name>JBossAdmin</role-name>
         </security-role>
         
      </web-app>

       

      Can anyone help me please ?