0 Replies Latest reply on Jan 31, 2008 3:20 PM by Kerry Jordan

    How to destroy a HTTP session (HELP!)

    Kerry Jordan Newbie

      I am having a problem implementing a logout page for an Adobe Flex application on JBoss 4.2.2.GA. The application sends commands to a secure (via JAAS basic authentication) JBoss Java servlet.

      I apparently correctly implemented the basic security and a custom login module (extending the AbtractServerLoginModule) since my web browser does request a username/password when I first attempt to download the client application. At this point, since JBoss is using basic authentication, the username/password is cached in my browser and sent with all other command requests. Additionally, JBoss is using session cookies so my JSESSIONID cookie is defined as well.

      When a logout command is sent by the client application, I attempt to invalidate the session by calling the getSession() method on the HttpServletRequest object and then calling the invalidate() method on the returned session. However, this does not call the logout method of my custom login module (which extends the AbtractServerLoginModule), remove the principal from the JBoss JaasSecurityManager cache, nor apparently cause the authentication cache of Internet Explorer to clear. In fact, it seems that the servlet does not have a HTTP session associated with it and obtains a new session object when I call the getSession() method (when I call getSession(false), a null reference is returned). I do not understand this... or how I can access (and destroy) the current HTTP session.

      My jboss-web.xml in the application .ear contains the following:

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
       <security-domain flushOnSessionInvalidation="true">java:/jaas/MyRealm</security-domain>
      </jboss-web>
      


      which as I understand it, should cause the logout method of my custom login module to be called on session invalidation.

      I did manage to clear the JaasSecurityManager cache programatically (which calls my logout method), but that still leaves the cache on Internet Explorer intact and the HTTP session still exists...

      String domain = "MyRealm";
      Principal user = req.getUserPrincipal(); // req is HttpServletRequest
      ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager" );
      Object[] params = { domain, user };
      String[] signature = { "java.lang.String", Principal.class.getName() };
      MBeanServer server = ( MBeanServer ) MBeanServerFactory.findMBeanServer( null ).get( 0 );
      server.invoke( jaasMgr, "flushAuthenticationCache", params, signature );
      


      I would like to destroy the session data (hopefully clearing the JSESSIONID cookie, calling my logout method, and clearing the browser authentication cache).

      Do I need to access the HTTP session information in a cache somewhere? And if so, how do I access it? Any thoughts or suggestions? I could really use some expert advice...

      Kerry