-
1. Re: The neverending logout topic
chakotey07 Apr 17, 2007 2:36 AM (in response to chakotey07)Hi again,
I solved Question 1 ... at least for me ...Thus, I switched to Form Auth (incl. j_security_check) ... session.invalidate does not work neither. Wrong ... it works, but the browser caches the credentials and performs itself a re-login (right?)
I first used a JSF Web Project - I guess I missed a configuration because the Form Auth really didn't work. Testing the same code within a "normal" Web Project - it works...
Maybe a (my) JSF prob, but in fact I wear sackcloth and ashes regarding question 1 ;-)
Especially Question 2 would yet be extreme interesting!
Thx -
2. Re: The neverending logout topic
vellmont Apr 18, 2007 2:06 PM (in response to chakotey07)I've had similar problems with Jboss authentication I inherited from another developer. I'm very interested in the answers to this problem, as currently my webapp doesn't seem to have any kind of timeout on logins.
Currently I stay logged into the website until I either close the brower, or clear out all cookies and invalidate my session via my browser. I'm not using any EJBs, though I did find some references to login timeouts if you are using EJBs -
3. Re: The neverending logout topic
chakotey07 Apr 19, 2007 2:11 AM (in response to chakotey07)Hiho,
Did you try the Basic or Form Authentication? With the Form Auth ist should work... -
4. Re: The neverending logout topic
nollie Apr 23, 2007 5:41 PM (in response to chakotey07)Gentlemen
I'm very interested in the issue of logging out as well. I have read many articles on the subject and nothing has worked so far.
I'm authenticating with org.jboss.security.auth.spi.LdapExtLoginModule by redirecting users to /auth/portal/myPortal/myPage. This is working well. I have tried to invalidate the HttpSession and the PortletSession, but neither is working. I have my browsers configured to never save passwords for my dev site, so I'm not sure how they are automatically logging the user back in. Furthermore, invalidating my session is not erasing variables that my portlets have stored in the session - something I will post on another topic, but seemingly associated with my authenticated 'flag' not being reset. -
5. Re: The neverending logout topic
sim-smith Apr 23, 2007 8:28 PM (in response to chakotey07)If you are interested, I have an app where this is all working. I use FormAuthentication, and have a logout.jsp that we use for logging out:
<%
// get the current subject and its context within the security realm
final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject");
final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject);
// logout the context and invalidate the session
context.logout();
request.getSession().invalidate();
// redirect back to the default page for the context path
response.sendRedirect(request.getContextPath() + "/");
%>
Hope this helps. -
6. Re: The neverending logout topic
chakotey07 Apr 24, 2007 3:18 AM (in response to chakotey07)Ooooh yeah, this code...
// get the current subject and its context within the security realm
final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject");
final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject);
... helps! Thank you very much!
@nollie: If you use Basic Authentication then the session invalidation will not work by concept. Using Form Authentication you'll have no problems. I only got troubles using a JSF Web Project, but I think this is "just" because of a configuration error of me... -
7. Re: The neverending logout topic
vellmont Apr 24, 2007 11:19 AM (in response to chakotey07)I think I've found the root of my problem. Basic Authentication.
Not many references talk about it, but it would appear that one of the major architectural differences between basic, and form based authentication is that basic authentication has no concept of a logged in user. The browser sends the credentials every time you access a protected page.
It's essentially impossible to "logout" a user from a website using basic authentication because they aren't logged in. The only way to make a webpage inaccessible to a user with a site using basic authentication is to get their browser to throw away the credentials. That means restarting the browser, or clearing out cookies. -
8. Re: The neverending logout topic
nollie Aug 9, 2007 7:02 PM (in response to chakotey07)Dear unauthenticators
Thanks to chakotey07 and everyone else for their posts. Using smi-smith's code I have gotten a hold of a LoginContext, but calling the logout method leads to this error:18:53:28,234 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
I've read elsewhere that this is indicative of a poorly configured security domain, but I can't figure out what's missing. I'm using the LdapExtLoginModule and I'm able to login and change passwords. Why is this simple file-based login module even being used? Do I just need some empty properity files?
- nollie -
9. Re: The neverending logout topic
chakotey07 Aug 10, 2007 2:36 AM (in response to chakotey07)Hi,
Please post your config file and the location of the prop-files, too!
Cheers,
chakotey07 -
10. Re: The neverending logout topic
nollie Aug 10, 2007 3:35 PM (in response to chakotey07)chakotey07
I've managed to declare the properties files and run the aforementioned code to logout ... only I didn't really logout. In any case, I cannot maintain a flat file of usernames and passwords so I'm keen to learn how I can avoid the UsersRolesLoginModule all together.
In my login-config.xml I am currently only defining my LdapExtLoginModule. Perhaps I should be defining an IdentityLoginModule as well?
Did you mean the jboss-portal.sar\conf\login-config.xml or the server\default\conf\login-config.xml?
nollie