2 Replies Latest reply on Mar 28, 2013 2:16 AM by xiang yingbing

    How to log out a web application secured by secure domain? [answered]

    xiang yingbing Master

      Dear guys,

       

              My web application works well with the security domain configured in jboss 7.2.

              But I can NOT logout the web application.

              Please help me. Thank you very much.

       

      1. jboss-web.xml in my web application:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain>java:/jaas/ybxiang-forum-jaas-security-domain</security-domain>

      </jboss-web>

       

      2. web.xml in my web application:

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="3.0" ...>

          ...

       

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>JSF resources</web-resource-name>

                  <description>Protects JSF resources</description>

                  <url-pattern>/faces/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>*</role-name>

              </auth-constraint>

          </security-constraint>

          <security-role>

              <role-name>*</role-name>

          </security-role>

          <login-config>

              <auth-method>BASIC</auth-method>

              <realm-name>ybxiang forum Authorization</realm-name>

          </login-config>   

      </web-app>

       

      When I visit my home page with web browser(firefox / IE), one dialog like this is poped out.

                login.dialog.JPG

       

      Now, I input my account, the home page is displayed. I think the login works well, because #{request.getUserPrincipal().getName()} in my navigator can tell me the login info correctly:

             navigator.JPG

       

       

      3. navigator.xhtml

       

      <?xml version='1.0' encoding='UTF-8' ?>

      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

       

      <ui:composition xmlns="http://www.w3.org/1999/xhtml"

          xmlns:ui="http://java.sun.com/jsf/facelets"

          xmlns:h="http://java.sun.com/jsf/html">

       

          <div>

              <h:form id="search" >

                  <table width="100%" border="0" cellpadding="0" cellspacing="0" >

                      <tr>

                          <td width="50%">

                              <h:outputLink value="#{request.contextPath}/faces/index.xhtml" >

                                  <h:outputText value="Home" />

                              </h:outputLink>

                              <h:outputText value="      " />

                              <font color="red">

                                  <h:outputText value="Welcome #{request.getUserPrincipal().getName()}" />

                              </font>

                          </td>

                          <td width="50%" style="text-align: right;" >

                              <h:graphicImage value="/img/biggrin.gif" style="border:0px;" />

                              <h:outputText value="  " />

                              <h:outputLink value="#{request.contextPath}/faces/search.xhtml" >

                                  <h:outputText value="Search" />

                              </h:outputLink>

       

                              <h:outputText rendered="#{request.getUserPrincipal() == null}" value="  " />

                              <h:outputLink rendered="#{request.getUserPrincipal() == null}" value="#{request.contextPath}/faces/login.xhtml" >

                                  <h:outputText value="Login" />

                              </h:outputLink>

       

                              <h:outputText rendered="#{request.getUserPrincipal() == null}" value="  " />

                              <h:outputLink rendered="#{request.getUserPrincipal() == null}" value="#{request.contextPath}/faces/register.xhtml" >

                                  <h:outputText value="Register" />

                              </h:outputLink>

       

                              <h:outputText value="  " />

                              <h:outputLink rendered="#{request.getUserPrincipal() != null}" value="#{request.contextPath}/logoutServlet" >

                                  <h:outputText value="Log out" />

                              </h:outputLink>

                          </td>

                      </tr>

                  </table>

              </h:form>

          </div>     

      </ui:composition>

       

       

       

      4. logout Servlet

       

       

      import java.io.IOException;
      
      import javax.servlet.ServletException;
      import javax.servlet.annotation.WebServlet;
      import javax.servlet.http.HttpServlet;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      
      /**
       * http://www.technicaladvices.com/2012/07/08/the-effective-java-logout-servlet-code/
       */
      @WebServlet("/logoutServlet")
      public class LogoutServlet extends HttpServlet {
          private static final long serialVersionUID = 1L;
      
          protected void doGet(HttpServletRequest request,
                  HttpServletResponse response) throws ServletException, IOException {
              response.setHeader("Cache-Control", "no-cache, no-store");
              response.setHeader("Pragma", "no-cache");
              //
              request.getSession().invalidate();//remove session.
              request.logout();//JAAS log out! do NOT work? (servlet specification)
              //response.sendRedirect(request.getContextPath() + "/login.jsp");
              response.sendRedirect(request.getContextPath());
          }
      }
      

       

      After I click the "Log out" Link, I found LogoutServlet is called as expect (I run jboss in debug mode in eclipse+jboss tools).

       

      But, after redirect to the home page or refresh home page many times, the navigator shows still the same:

             It is NOT logged out, the Authentication dialog does NOT appear again!

       

       

      What is the matter?

       

      Please help me.

      Thanks in advance.

        • 1. Re: How to log out a web application secured by secure domain? [codes are pasted]
          xiang yingbing Master

          Now, I debug the servlet and find that the servlet's principle is null!

           

          @WebServlet("/logoutServlet")

          public class LogoutServlet extends HttpServlet {

              private static final long serialVersionUID = 1L;

           

              protected void doGet(HttpServletRequest request,

                      HttpServletResponse response) throws ServletException, IOException {

           

                  boolean printJaasInfo = true;

                  if(printJaasInfo){

                      try{

                          System.out.println("LogoutServlet*********************************");

                          System.out.println("request.getClass().getName():"+request.getClass().getName());

                          System.out.println("isAdministrator:"+request.isUserInRole(KnownJaasRoles.ADMINISTRATOR));

                          System.out.println("remoteUser:"+request.getRemoteUser());

                          System.out.println("userPrincipalName:"+(request.getUserPrincipal()==null?"null":request.getUserPrincipal().getName()));//ybxiang

                          System.out.println("LogoutServlet*********************************");       

                      }catch(Exception e){

                          e.printStackTrace();

                      }

                  }

           

                  response.setHeader("Cache-Control", "no-cache, no-store");

                  response.setHeader("Pragma", "no-cache");

                  //

                  request.getSession().invalidate();//remove session.

                  request.logout();//JAAS log out! do NOT work? (servlet specification)

                  //response.sendRedirect(request.getContextPath() + "/login.jsp");

                  response.sendRedirect(request.getContextPath());

              }

          }

           

           

          The log is:

           

          13:11:06,140 INFO  [stdout] (http-localhost/127.0.0.1:80-1) LogoutServlet*********************************

          13:11:06,140 INFO  [stdout] (http-localhost/127.0.0.1:80-1) request.getClass().getName():org.apache.catalina.connector.RequestFacade

          13:11:06,140 INFO  [stdout] (http-localhost/127.0.0.1:80-1) isAdministrator:false

          13:11:06,140 INFO  [stdout] (http-localhost/127.0.0.1:80-1) remoteUser:null

          13:11:06,140 INFO  [stdout] (http-localhost/127.0.0.1:80-1) userPrincipalName:null

          13:11:18,656 INFO  [stdout] (http-localhost/127.0.0.1:80-1) LogoutServlet*********************************

           

          ****************************************************************************************************************************************

          More test

           

          Now,  I add logoutServlet into <web-resource-collection> in web.xml

           

          <web-resource-collection>
          <web-resource-name>JSF resources</web-resource-name>
          <description>Protects JSF resources</description>
          <url-pattern>/faces/*</url-pattern>
          <url-pattern>/logoutServlet</url-pattern>
          <url-pattern>/uploadServlet</url-pattern>
          </web-resource-collection>

           

           

          @WebServlet("/logoutServlet")

          public class LogoutServlet extends HttpServlet {

              private static final long serialVersionUID = 1L;

              static final Logger logger = Logger.getLogger(LogoutServlet.class.getName());

             

              protected void doGet(HttpServletRequest request,

                      HttpServletResponse response) throws ServletException, IOException {

                  logger.info("LogoutServlet>userPrincipalName:"+(request.getUserPrincipal()==null?"null":request.getUserPrincipal().getName()));//ybxiang

                 

                  //********************** log out(clean something) **********************//

                  response.setHeader("Cache-Control", "no-cache, no-store");

                  response.setHeader("Pragma", "no-cache");

                  response.setHeader("Expires", new java.util.Date().toString());//http://www.coderanch.com/t/541412/Servlets/java/Logout-servlet-button 

                  //

                  request.getSession().invalidate();//remove session.

                  request.logout();//JAAS log out (from servlet specification)! It is a MUST!

                 

                  //********************** print JAAS info again **********************//

                  logger.info("LogoutServlet>userPrincipalName:"+(request.getUserPrincipal()==null?"null":request.getUserPrincipal().getName()));//null!!!

           

                  //********************** redirect **********************//

                  response.sendRedirect(request.getContextPath());

              }

          }

           

          After request.logout(); is called, then request.getUserPrincipal() is null! It is what I expect!

          • 2. Re: How to log out a web application secured by secure domain? [codes are pasted]
            xiang yingbing Master

            When the servlet is redirect to the home page, the web browser is still in login status. I think the web browser login again with the cached username and password.

             

            The problem is still there, maybe I should clear more header info with:

            response.setHeader("xxx", "xxx, xxx");