10 Replies Latest reply on Aug 10, 2007 3:35 PM by Jon Whitmore

    The neverending logout topic

    Stefan Jakoubi Newbie

      Dear community,

      I am rather new to the JbossSX / JAAS topic and thus, I searched the forum to understand my problems, but I am not sure if I got everthing right.


      Scenario:
      I successfully secured a test web application via my custom login module and declarative security. Wonderful, but regarding the logout of an authenticated subject I got some problems / questions.


      Question 1:
      I first used Basic Auth ... read the solution within the forum that session.invalidate does not work.
      Thus, I switched to Form Auth (incl. j_security_check) ... session.invalidate does not work neither. Wrong ... it works, but the browser caches the credentials and performs itself a re-login (right?). Is there any other (easy / designated) solution than restarting the browser?

      Question 1a:
      I read that the manually invocation of the Basic Auth Popup is not possible, ok. Is this possible using Form Auth?
      If yes, then I could store an logout-attribute, check this at each page call and so I'd have a workaround regarding the browser's credential caching...

      Question 2:
      Is there a possibility to retreive the current LoginContext (although I didn't create the LoginContext instance within my code) in order to manually perform the logout method of my custom login module?


      I'd be so glad for helpful suggestions and solutions - and please don't damn me, if I missed an existing solution-topic and thus didn't read it :-/

      Thx

        • 1. Re: The neverending logout topic
          Stefan Jakoubi Newbie

          Hi again,

          I solved Question 1 ... at least for me ...

          Thus, I switched to Form Auth (incl. j_security_check) ... session.invalidate does not work neither. Wrong ... it works, but the browser caches the credentials and performs itself a re-login (right?)

          I first used a JSF Web Project - I guess I missed a configuration because the Form Auth really didn't work. Testing the same code within a "normal" Web Project - it works...
          Maybe a (my) JSF prob, but in fact I wear sackcloth and ashes regarding question 1 ;-)

          Especially Question 2 would yet be extreme interesting!

          Thx





          • 2. Re: The neverending logout topic
            Steve Sether Newbie

            I've had similar problems with Jboss authentication I inherited from another developer. I'm very interested in the answers to this problem, as currently my webapp doesn't seem to have any kind of timeout on logins.

            Currently I stay logged into the website until I either close the brower, or clear out all cookies and invalidate my session via my browser. I'm not using any EJBs, though I did find some references to login timeouts if you are using EJBs

            • 3. Re: The neverending logout topic
              Stefan Jakoubi Newbie

              Hiho,

              Did you try the Basic or Form Authentication? With the Form Auth ist should work...

              • 4. Re: The neverending logout topic
                Jon Whitmore Newbie

                Gentlemen

                I'm very interested in the issue of logging out as well. I have read many articles on the subject and nothing has worked so far.

                I'm authenticating with org.jboss.security.auth.spi.LdapExtLoginModule by redirecting users to /auth/portal/myPortal/myPage. This is working well. I have tried to invalidate the HttpSession and the PortletSession, but neither is working. I have my browsers configured to never save passwords for my dev site, so I'm not sure how they are automatically logging the user back in. Furthermore, invalidating my session is not erasing variables that my portlets have stored in the session - something I will post on another topic, but seemingly associated with my authenticated 'flag' not being reset.


                • 5. Re: The neverending logout topic
                  Mark Sim-Smith Newbie

                  If you are interested, I have an app where this is all working. I use FormAuthentication, and have a logout.jsp that we use for logging out:

                  <%
                  // get the current subject and its context within the security realm
                  final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject");
                  final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject);

                  // logout the context and invalidate the session
                  context.logout();
                  request.getSession().invalidate();

                  // redirect back to the default page for the context path
                  response.sendRedirect(request.getContextPath() + "/");

                  %>


                  Hope this helps.

                  • 6. Re: The neverending logout topic
                    Stefan Jakoubi Newbie

                    Ooooh yeah, this code...

                    // get the current subject and its context within the security realm
                    final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject");
                    final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject);

                    ... helps! Thank you very much!

                    @nollie: If you use Basic Authentication then the session invalidation will not work by concept. Using Form Authentication you'll have no problems. I only got troubles using a JSF Web Project, but I think this is "just" because of a configuration error of me...

                    • 7. Re: The neverending logout topic
                      Steve Sether Newbie

                      I think I've found the root of my problem. Basic Authentication.

                      Not many references talk about it, but it would appear that one of the major architectural differences between basic, and form based authentication is that basic authentication has no concept of a logged in user. The browser sends the credentials every time you access a protected page.

                      It's essentially impossible to "logout" a user from a website using basic authentication because they aren't logged in. The only way to make a webpage inaccessible to a user with a site using basic authentication is to get their browser to throw away the credentials. That means restarting the browser, or clearing out cookies.

                      • 8. Re: The neverending logout topic
                        Jon Whitmore Newbie

                        Dear unauthenticators

                        Thanks to chakotey07 and everyone else for their posts. Using smi-smith's code I have gotten a hold of a LoginContext, but calling the logout method leads to this error:

                        18:53:28,234 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
                        java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                        at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
                        at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)


                        I've read elsewhere that this is indicative of a poorly configured security domain, but I can't figure out what's missing. I'm using the LdapExtLoginModule and I'm able to login and change passwords. Why is this simple file-based login module even being used? Do I just need some empty properity files?

                        - nollie



                        • 9. Re: The neverending logout topic
                          Stefan Jakoubi Newbie

                          Hi,

                          Please post your config file and the location of the prop-files, too!

                          Cheers,
                          chakotey07

                          • 10. Re: The neverending logout topic
                            Jon Whitmore Newbie

                            chakotey07

                            I've managed to declare the properties files and run the aforementioned code to logout ... only I didn't really logout. In any case, I cannot maintain a flat file of usernames and passwords so I'm keen to learn how I can avoid the UsersRolesLoginModule all together.

                            In my login-config.xml I am currently only defining my LdapExtLoginModule. Perhaps I should be defining an IdentityLoginModule as well?

                            Did you mean the jboss-portal.sar\conf\login-config.xml or the server\default\conf\login-config.xml?

                            nollie