Thanks for your answer, anyway the explanation you give in the FAQ is really short and doesn't tell why if I put a breakpoint into the login() method of my login moduleit shows that the login() is not called the second time. The following steps display my scenario:
1) First time I login the breakpoint stops execution, showing that myLoginModule.login() has been called
2) I logout, invalidating the session in my logout action
3) I login again at the login page, logon is successful, but the breakpoint doesn't stop execution
Can you please explain this fact to me, please?
I'm using jboss 4.0 beta, anyway. Yomorrow I'm going to test with the new stable 4.0.2, maybe it will behave differently.
Thanks for your help, anyway
I think I might need to get a handle to the LoginContext to logout as well...
I'm using j_security_check for form based auth. using a custom login module.
Upon logging in using the custom login module, things work as expected - however, upon logging out by invalidating my session in a "logout" servlet where I use the request dispatcher to take me to the next page, I have things showing up on the page that shouldn't because they are enclosed in isUserInRole blocks.
Upon clicking on the logout link again (which, by the way, is one of the things enclosed in a isUserInRole block), things work correctly.
I'm fairly certain the page is not being cached. Does the problem have to do with the fact that something having to do with the Principal/Subject is cached in the HttpRequest object (grasping)?
I've tried things like creating a new session after invalidating the original.
Please help - I've spent way too much time on something as simple as loging a user out.
Thanks in advance!
Did someone solve the problem described above by hoth256?
I have almost the same configuration:
- form-based authentication;
- custom LoginModule (let's call it myLM);
- JSF-based main page with "Logout" button;
- logout() method in page supporting bean which calls HttpSession invalidate() method;
- flushOnSessionInvalidation attribute set to "true" for my security-domain in the jboss-web.xml;
- JBoss ver. 4.0.2.
The problem seems to be the same as described: when I press the "Logout" button for the first time I'm not redirected to the login form; it is performed only after the second button hit. While performing some investigations I've found the next inconsistencies:
1. After fresh start of JBoss I log in via login form and redirected to main form.
2. I press the "logout" button:
- two breakpoints are reached consequently: one in bean.logout() then second in myLM.logout();
- active page is not changed to login form but remains the main page.
3. I press the "logout" button again:
- active page is changed to login form but no breakpoints are hit.
4. I try to login. After pressing the "login" button breakpoints are hit and after that I am redirected to the main page.
From this state steps 3 and 4 repeat.
So the question is: why the main page is not changed to login page after the first "logout" click? And what are those stu?k logout actions?...
Thanks in advance for any comments!
If I recall correctly, this may have something to do with how your code moves you to the next page (I believe "login form") upon clicking the "Logout" button. I'm not 100% sure I had agreed with who ever sent me a response, but I moved on...
Again, if I recall correctly, a suggestion had been made to not use the request dispatcher to move you to the next page, but instead use the response object:
Where response is of type HttpServletResponse and "/" is where you want to go.
The rationale of the suggester, if memory servers, was that the session is still somewhat valid in the context of using the request object after a call to session.invalidate().
the FAQ help me to solve the same problem.