0 Replies Latest reply on Oct 21, 2010 5:43 PM by Jose Miguel Loor

    flushOnSessionInvalidation not working on Jboss 5

    Jose Miguel Loor Apprentice

      Hi all

       

      I have a question / problem with a custom LoginModule; the scenario is like this:

       

      My custom LoginModule extends from HttpServletRequestLoginModule; i am implementing all the relevant methods (login, abort, logout, commit, etc); i don't think the code in that loginModule is relevant, but if it is needed i can post it

       

      the login-config.xml looks like this:

       

      <application-policy name="SpyralSecurityPolicy">
              <authentication>
                  <login-module code="com.carrasco.internet.security.JSFInternetLoginModule" flag="required">
                      <module-option name="wsUrl">http://someUrl</module-option>
                  </login-module>
              </authentication>
          </application-policy>

       

      the jboss-web.xml looks like this:

       

      <jboss-web>
          <context-root>/spyralSecurity</context-root>
          <security-domain flushOnSessionInvalidation="true">
              java:/jaas/SpyralSecurityPolicy
          </security-domain>
      </jboss-web>

       

      and the web.xml looks like this:

       

      <security-constraint>
          <web-resource-collection>
              <web-resource-name>SpyralSecurityApplication</web-resource-name>
              <url-pattern>/pages/*</url-pattern>
              <http-method>POST</http-method>
              <http-method>GET</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>*</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>
      <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/login-error.jsp</form-error-page>
          </form-login-config>
      </login-config>

       

      in my application i have a logout action that does this:

       

      HttpServletRequest request = (HttpServletRequest) FacesContext
                      .getCurrentInstance().getExternalContext().getRequest();
      request.getSession().invalidate();

       

      As far as i know, this should be sufficient to make a logout and clear the LoginCredentials cache, but in the security log i have found this:

       

      2010-10-21 16:24:02,238 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] securityDomain=SpyralSecurityPolicy
      2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated Principal=com.carrasco.internet.security.UsuarioInternet@10ccf09
      2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Before flush of authentication cache::
      2010-10-21 16:24:02,245 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SpyralSecurityPolicy, org.jboss.security.plugins.SecurityDomainContext@19c92e2 to map
      2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
      2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin
      2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] After flush of authentication cache::
      2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
      2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin

       

      as you see, before the flush of authentication cache there is one authenticated principal, and after the flush of the authentication cache, there is still 1 authenticated principal

       

      am i doing something wrong or missing something ?? is this a bug in the jboss 5.1.0.GA server ??

       

      please help, this is very urgent