5 Replies Latest reply on Aug 10, 2011 7:31 AM by windigo

Invoke Logout - Custom Loginmodule

windigo Feb 25, 2011 8:16 AM

I've a fat client which has to login to JBoss 6 with a custom loginmodule.

On client-side the auth-configuration looks like this. This way the client delegates the credentials to the server.

MySecurityDomain {
   // jBoss LoginModule
   org.jboss.security.ClientLoginModule  required
   ;
};

On server-side the login-policy looks like this:

<policy>
 <application-policy name="MySecurityDomain">
      <authentication>
           <login-module code="com.MyLoginModule"
                flag="required">
           </login-module>
      </authentication>
 </application-policy>
</policy>

After getting the InitialContext the client logs in:

SecurityClient client = SecurityClientFactory.getSecurityClient();
CallbackHandler callbackHandler = new UserPasswordCallbackHandler(user, pw);
client.setJAAS("MySecurityDomain", callbackHandler);
client.login();

The login is executed the first time the client tries to invoke a bean-method. That's fine.

Logging out the client is done by

client.logout();

Invoking this method on the client calls only the logout method of ClientLoginModule.java but DONT call the logout-method of my custom MyLoginModule.

Whats the problem?

1. Re: Invoke Logout - Custom Loginmodule

windigo Aug 8, 2011 9:02 AM (in response to windigo)

I think the author of this thread had the same question like me, but didn't got an answer

Please help me.
Actions
2. Re: Invoke Logout - Custom Loginmodule

jaikiran Aug 8, 2011 10:18 AM (in response to windigo)

How is the server side MyLoginModule (i.e. com.MyLoginModule) being used? Is that security domain configured in some jboss-web.xml or jboss.xml?
Actions

3. Re: Invoke Logout - Custom Loginmodule

windigo Aug 8, 2011 10:38 AM (in response to jaikiran)

Its an EAR-application and configured in a jboss-app.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD Java EE Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">
<jboss-app>
     <security-domain>java:/jaas/MySecurityDomain</security-domain>
</jboss-app>

and to complete the picture... The loginmodule is integrated in the ear as a sar-module. My application.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<application xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_6.xsd" version="6">
  <display-name>Test</display-name>
  <module>
    <ejb>TestEjb.jar</ejb>
  </module>
  <module>
    <connector>MyLoginModule.sar</connector>
  </module>
</application>

4. Re: Invoke Logout - Custom Loginmodule

windigo Aug 9, 2011 4:57 AM (in response to windigo)

I think the problem is related to this issue - even if that issue is marked as resolved
Actions
5. Re: Invoke Logout - Custom Loginmodule

windigo Aug 10, 2011 7:31 AM (in response to windigo)

I've found a workaround which is not perfect. On client side you can invoke the method flushAuthenticationCache(String, Principal) on the MXBean jboss.security:JaasSecurityManager. This way you can force the server to remove LoginContext for the specific user.

The problem is when the same user logs in twice. When he logs off in one of both sessions, then the other is invalid too.
Actions

Go to original post