I've had similar problems with Jboss authentication I inherited from another developer. I'm very interested in the answers to this problem, as currently my webapp doesn't seem to have any kind of timeout on logins.

Currently I stay logged into the website until I either close the brower, or clear out all cookies and invalidate my session via my browser. I'm not using any EJBs, though I did find some references to login timeouts if you are using EJBs

Gentlemen

I'm very interested in the issue of logging out as well. I have read many articles on the subject and nothing has worked so far.

I'm authenticating with org.jboss.security.auth.spi.LdapExtLoginModule by redirecting users to /auth/portal/myPortal/myPage. This is working well. I have tried to invalidate the HttpSession and the PortletSession, but neither is working. I have my browsers configured to never save passwords for my dev site, so I'm not sure how they are automatically logging the user back in. Furthermore, invalidating my session is not erasing variables that my portlets have stored in the session - something I will post on another topic, but seemingly associated with my authenticated 'flag' not being reset.

If you are interested, I have an app where this is all working. I use FormAuthentication, and have a logout.jsp that we use for logging out:

<%
// get the current subject and its context within the security realm
final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject");
final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject);

// logout the context and invalidate the session
context.logout();
request.getSession().invalidate();

// redirect back to the default page for the context path
response.sendRedirect(request.getContextPath() + "/");

%>


Hope this helps.

I think I've found the root of my problem. Basic Authentication.

Not many references talk about it, but it would appear that one of the major architectural differences between basic, and form based authentication is that basic authentication has no concept of a logged in user. The browser sends the credentials every time you access a protected page.

It's essentially impossible to "logout" a user from a website using basic authentication because they aren't logged in. The only way to make a webpage inaccessible to a user with a site using basic authentication is to get their browser to throw away the credentials. That means restarting the browser, or clearing out cookies.

Dear unauthenticators

Thanks to chakotey07 and everyone else for their posts. Using smi-smith's code I have gotten a hold of a LoginContext, but calling the logout method leads to this error:

18:53:28,234 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)

chakotey07

I've managed to declare the properties files and run the aforementioned code to logout ... only I didn't really logout. In any case, I cannot maintain a flat file of usernames and passwords so I'm keen to learn how I can avoid the UsersRolesLoginModule all together.

In my login-config.xml I am currently only defining my LdapExtLoginModule. Perhaps I should be defining an IdentityLoginModule as well?

Did you mean the jboss-portal.sar\conf\login-config.xml or the server\default\conf\login-config.xml?

nollie