6 Replies Latest reply on May 3, 2005 4:20 PM by starksm64

    Problem with logout with FORM based authentication and sessi

      Hi to all.
      I've read in the forum that when any web application has FORM based security, the way you can implement logout is making session.invalidate()
      I don't have problems when I request a resource under security protection. The form is showed to me and I validate correctly.
      The issue is that in my application I have a logout function to remove the userPrincipal stored in the request.
      The implementation of this logout function is session.invalidate(). But, after invalidate the session, the userPrincipal is still in the request.
      For example, I can see it with this code:

      request.getSession().invalidate();
      System.out.println("The user is in the request after logging out: ");
      System.out.println( request.getUserPrincipal()!=null?"SI":"NO");
      

      And I can see in the console the answer "YES".

      Anybody can help me, please?
      Thanks a lot in advance

      P.S.: I'm using JBoss 4.0.1
      P.S.: If I use two consecutive times the logout function, then the userPrincipal does not exists. This is, to effectively logout the user, I have to click twice in the logout place of the web application. Of course, this is a not desired behaviour.But, why session.invalidate() works the second time and doesn't work the first time I call it?

        • 1. Re: Problem with logout with FORM based authentication and s
          starksm64

          Invalidating the session does not remove the request principal from the current request.

          • 2. Re: Problem with logout with FORM based authentication and s

            And how I could remove the request principal?
            Thanks again.

            • 3. Re: Problem with logout with FORM based authentication and s
              starksm64

              You can't short of rewritting the servlet request. Why should the principal be removed from the current request?

              • 4. Re: Problem with logout with FORM based authentication and s

                The issue is that my application is made with Struts and Tiles, and the menu tile (in summary, a JSP page) is composed by a public part and another private part that only can be accesed when a validated user (I've made the validation with a login form) has been logged.
                The implementation of the menu tile is more or less like above code.
                I've used Struts logic tags.

                <logic:notPresent role="*">
                ....... Public menu components (login access included).....
                </logic:notPresent>
                <logic:present role="*">
                ......... Private menu components for a validated user (logout access included) .............
                </logic:present>
                

                Note: The '*' can be substituted by a concrete role as needed, of course.
                On the other hand, there are more ways of implementing this functionality, but I thought that this was the cleanest way to do this.
                As I mentioned before, in the previous topics, the logout functionality is implemented by session.invalidate(), but that action doesn't remove the request's user principal, so the first time the logout is called, the private menu part keeps showed and the public menu part remains hidden. But, the second time the logout function is called, then, the user principal doesn't exist and the public part of the menu is showed.
                If you tell me that I can not remove the user principal from the request (by the way, it's logical), then I suppose I'll have to think another implementation of the menu tile.

                Thanks a lot for your comments.

                Juanjo

                • 5. Re: Problem with logout with FORM based authentication and s
                  madalin

                  Similar issue here with 4.0.1sp1...Any plans?

                  Note: Version 3.0.6 - the principal is removed on logout...

                  Thank you

                  • 6. Re: Problem with logout with FORM based authentication and s
                    starksm64

                    There is no spec defined behavior that indicates that request principal should change when the session is invalidated. In general, the request principal has nothing to do with the session. Only FORM auth has any association between the authenticated user and the session.