5 Replies Latest reply on Aug 10, 2011 7:31 AM by windigo

    Invoke Logout - Custom Loginmodule

    windigo Newbie

      I've a fat client which has to login to JBoss 6 with a custom loginmodule.


      On client-side the auth-configuration looks like this. This way the client delegates the credentials to the server.

      MySecurityDomain {
         // jBoss LoginModule
         org.jboss.security.ClientLoginModule  required


      On server-side the login-policy looks like this:


       <application-policy name="MySecurityDomain">
                 <login-module code="com.MyLoginModule"


      After getting the InitialContext the client logs in:


      SecurityClient client = SecurityClientFactory.getSecurityClient();
      CallbackHandler callbackHandler = new UserPasswordCallbackHandler(user, pw);
      client.setJAAS("MySecurityDomain", callbackHandler);


      The login is executed the first time the client tries to invoke a bean-method. That's fine.


      Logging out the client is done by



      Invoking this method on the client calls only the logout method of ClientLoginModule.java but DONT call the logout-method of my custom MyLoginModule.


      Whats the problem?

        • 1. Re: Invoke Logout - Custom Loginmodule
          windigo Newbie

          I think the author of this thread had the same question like me, but didn't got an answer


          Please help me.

          • 2. Re: Invoke Logout - Custom Loginmodule
            jaikiran pai Master

            How is the server side MyLoginModule (i.e. com.MyLoginModule) being used? Is that security domain configured in some jboss-web.xml or jboss.xml?

            • 3. Re: Invoke Logout - Custom Loginmodule
              windigo Newbie

              Its an EAR-application and configured in a jboss-app.xml

              <?xml version="1.0" encoding="UTF-8"?>
              <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD Java EE Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">


              and to complete the picture... The loginmodule is integrated in the ear as a sar-module. My application.xml looks like this:


              <?xml version="1.0" encoding="UTF-8"?>
              <application xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_6.xsd" version="6">
              • 4. Re: Invoke Logout - Custom Loginmodule
                windigo Newbie

                I think the problem is related to this issue - even if that issue is marked as resolved

                • 5. Re: Invoke Logout - Custom Loginmodule
                  windigo Newbie

                  I've found a workaround which is not  perfect. On client side you can invoke the method flushAuthenticationCache(String, Principal) on the MXBean jboss.security:JaasSecurityManager. This way you can force the server to remove LoginContext for the specific user.


                  The problem is when the same user logs in twice. When he logs off in one of both sessions, then the other is invalid too.