1 Reply Latest reply on Feb 2, 2005 1:14 PM by Jesse Wilson

    Not able to logout after login

    donno Newbie

      I deployed a struts app to JBoss 3.2.3 using JBoss'
      UsersRolesLoginModule. In the LogoutAction I invalidate
      the session and redirect to a resource that requires login.
      The resource shows up without a login prompt. Here is
      the part of the web.xml:

      <web-resource-collection>
      <web-resource-name>Protected All Resources</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>

      <!-- Anyone with these roles may enter this area. -->
      <auth-constraint>
      <role-name>csr</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <!-- Default login configuration uses form-based authentication -->
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>csr</realm-name>
      </login-config>

      <!-- Security roles referenced by this web application -->
      <security-role>
      <role-name>csr</role-name>
      </security-role>

      jboss-web.xml:
      <jboss-web>
      <security-domain>java:/jaas/csr</security-domain>
      </jboss-web>

      In login-config.xml of JBoss I have
      <application-policy name = "csr">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name = "usersProperties">users.properties</module-option>
      <module-option name = "rolesProperties">roles.properties</module-option>
      </login-module>


      </application-policy>

      Login works fine but logout doesn't.

      Thanks for help.

      Donno