8 Replies Latest reply on May 28, 2004 10:21 AM by anis

    logout when having used j_security_check

    mwallner Newbie

      Hi!

      I log my user in with the help of j_security_check, form-based. Works fine. But how can I then log out the user again?

      I use JBoss v. 3.2.3.

      Thanks,
      - Markus

        • 1. Re: logout when having used j_security_check
          Antonio Newbie

          if you are using JSP , try

          <% session.invalidate(); %>

          • 2. Re: logout when having used j_security_check
            anis Newbie

            Hi,

            session .invalidate() is not sufficient under JBoss.

            I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.

            Are there any other methods?

            • 3. Re: logout when having used j_security_check
              mwallner Newbie

              anbenham, could you please post the source code of your method?

              Thanks,
              - markus

              • 4. Re: logout when having used j_security_check
                Giovanni Formenti Newbie

                I like to see this code too! :)

                Gio

                • 5. Re: logout when having used j_security_check
                  Rolf Arne Corneliussen Newbie

                   

                  "anbenham" wrote:
                  Hi,

                  session .invalidate() is not sufficient under JBoss.

                  I have written a logout method that empties the subject from its principals then flushes the aiuthentication cache of JBoss.

                  Are there any other methods?


                  It is true that you will not get an immediate JAAS logout when calling session.invalidate(), but the user will have to authenticate again, using the login page, in order to be authorized to access protected URL's. So for instance, after session.invalidate(), the user may safely leave the browser window open without risking other using their privileges.


                  • 6. Re: logout when having used j_security_check
                    anis Newbie

                    Hi here is the code.

                    public void logout() throws Exception {
                     if (getSubject() == null)
                     throw new Exception();
                     Set principals = getSubject().getPrincipals();
                     if (principals.size() > 0) {
                     Iterator i = principals.iterator();
                     NestableGroup roles = null;
                     NestableGroup callerPrincipal = null;
                     MyPrincipal user = null;
                     while (i.hasNext()) {
                     Object group = i.next();
                     if (group instanceof MyPrincipal)
                     user = (MyPrincipal) group;
                     if (group instanceof NestableGroup) {
                     NestableGroup nGroup = (NestableGroup) group;
                     if (nGroup.getName() == "Roles")
                     roles = nGroup;
                     if (nGroup.getName() == "Callerprincipal")
                     callerPrincipal = nGroup;
                     }
                     }
                     principals.remove(user);
                     principals.remove(roles);
                     principals.remove(callerPrincipal);
                     flushAuthCache(user);
                     }
                     }
                    
                    
                    private void flushAuthCache(MyPrincipal user) throws Exception {
                     try {
                     String domain = getDomain(user);
                     if ((user!= null) && (domain != null)) {
                    
                     InitialContext ctx = new InitialContext();
                     RMIAdaptor jbossServer = (RMIAdaptor) ctx.lookup("jmx/invoker/RMIAdaptor");
                     ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
                     Object[] params = { domaene, benutzer };
                     String[] signature = { "java.lang.String", "java.security.Principal" };
                     jbossServer.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
                     }
                     } catch (Exception e) {
                     throw new Exception();
                     }
                    
                     }
                    


                    Is this code OK?
                    Is it dangereous to empty the Subject?

                    • 7. Re: logout when having used j_security_check
                      Senthil Kumar M Rangaswamy Newbie

                      Hai
                      Is this a correct way to do, cos i do have the same probs, and if its valid to do this can u please tell me where to keep this code, means in which class, and how this method will be called. and also tell me the confiuration details that i have to make this code to work.

                      Thanks in advance.
                      Senthil Kumar M Rangaswamy

                      • 8. Re: logout when having used j_security_check
                        anis Newbie

                        Hi,

                        I would like to know too if this is the right way to do that.#
                        I call that method just after the session.is invalidated ( I use a session listner).

                        Is it OK like that?

                        Do I have to empty the subject?

                        Is it garateed that the user is logged out in the ejb-container AND the web-container?