How to logout & make users re-login
mcacace Mar 18, 2010 9:26 AMHi,
I'm trying to logout and force users go to in my custom auth-form avoiding access to my webApp.
I have GWT Project, JBoss 5.1.0 with JAAS , jdk1.6.0_17, GWT on clients , IE 7 & FF 3.6
My LoginContext.logout() doesn't throw any exception.
I tried to fix this cleanning credentials and principals,
setting callbackhandler's name/password to null from my subject,
setting DefaultCacheTimeout to zero but I didn't fix this.
I only could destroy cookie jsessionid in IE 7, but I doesn't work on FF 3.6, so it's not a polite way.
I can see someone trying to fix it in http://community.jboss.org/thread/147897
public class LoginFilter implements Filter {
static private String LOG_TOPIC = LoginFilter.class.getName();
static private Logger LOGGER = Logger.getLogger(LOG_TOPIC);
static private final String DEFAULT_SUBJECT_KEY = "subject";
private String appName_;
private String subjectKey_;
@Override
public void init(FilterConfig config) throws ServletException {
appName_ = config.getInitParameter("app-name");
subjectKey_ = config.getInitParameter("subject-key");
if (subjectKey_ == null) {
subjectKey_ = DEFAULT_SUBJECT_KEY;
}
}
@Override
public void doFilter(ServletRequest request,ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String remoteUser = httpRequest.getRemoteUser();
if (httpRequest.getSession().getAttribute("lc")==null && remoteUser != null) {
if (LOGGER.isLoggable(Level.FINE)) {
Subject subj = (Subject) httpRequest.getSession().getAttribute(subjectKey_);
LOGGER.logp(Level.FINE, LOG_TOPIC, "doFilter()", "Subject found under key {0}:\n{1}",
new Object[] {subjectKey_, subj });
}
System.out.println("entro al login!");
BundleCallbackHandler cb = new BundleCallbackHandler(remoteUser, getPassword(remoteUser));
try {
LoginContext ctx = new LoginContext(appName_, cb);
ctx.login();
Subject subj = ctx.getSubject();
httpRequest.getSession().setAttribute("lc", ctx);
httpRequest.getSession().setAttribute("cb", cb);
httpRequest.getSession().setAttribute(subjectKey_, subj);
response.setContentType("text/plain");
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Location", "/VCarCli/VCarCli.html");
httpResponse.setStatus(httpResponse.SC_MOVED_TEMPORARILY);
LOGGER.info("Authenticated Subject " + subj + ". Under session key " + subjectKey_);
} catch (LoginException e) {
LOGGER.logp(Level.WARNING, LOG_TOPIC, "doFilter()",
"LoginException thrown when validating user {0}. Exception:\n{1}",
new Object[] { remoteUser, e });
}
}
chain.doFilter(request, response);
}
private String getPassword(String userId) {
... get Password ...
}
@Override
public void destroy() {
}
}
public class LogoutServiceImpl extends RemoteServiceServlet implements LogoutService {
private static final long serialVersionUID = 4980477256995261802L;
private LoginContext ctx = null;
private BundleCallbackHandler cb = null;
private Subject subject = null;
@Override
public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
HttpServletRequest httpRequest = (HttpServletRequest) req;
subject = (Subject)httpRequest.getSession().getAttribute("subject");
cb = (BundleCallbackHandler)httpRequest.getSession().getAttribute("cb");
ctx = (LoginContext)httpRequest.getSession().getAttribute("lc");
super.service(req, res);
}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.sendRedirect("/VCarCli/login.html");
super.doGet(req, resp);
}
public String logout() {
try {
flashear();
ctx.logout();
logoutt();
} catch (LoginException e) {
e.printStackTrace();
return e.getMessage();
}
return "";
}
private void flashear() {
String domain = "vcarcli-policy";
try {
ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
// Flush all cached entries in the given domain using the JaasSecurityManagerService
// mbean registered under "jboss.security:service=JaasSecurityManager"
Object[] params = {domain};
String[] signature = {"java.lang.String"};
MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
} catch (MalformedObjectNameException e1) {
e1.printStackTrace();
} catch (InstanceNotFoundException e2) {
e2.printStackTrace();
} catch (MBeanException e3) {
e3.printStackTrace();
} catch (ReflectionException e4) {
e4.printStackTrace();
}
}
public boolean logoutt() {
System.out.println("logoutt");
if (!subject.isReadOnly()) {
cb.setName(null);
cb.setPassword(null);
Set<Principal> principals = subject.getPrincipals();
subject.getPrincipals().removeAll(principals);
principals.clear();
Set<Object> creds = subject.getPublicCredentials();
subject.getPublicCredentials().removeAll(creds);
creds.clear();
cb = null;
principals= null;
creds =null;
subject=null;
return true;
} else {
return false;
}
}
}
web.xml
<?xml version="1.0" encoding="UTF-8" ?>
<web-app version="2.5">
<display-name>VCarCli</display-name>
<welcome-file-list>
<welcome-file>VCarCli.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>login-filter</filter-name>
<filter-class>com.gasban.server.LoginFilter</filter-class>
<init-param>
<param-name>app-name</param-name>
<param-value>vcarcli-policy</param-value>
</init-param>
<init-param>
<param-name>subject-key</param-name>
<param-value>subject</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>login-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>LoginFilter</servlet-name>
<servlet-class>com.gasban.server.LoginFilter</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginFilter</servlet-name>
<url-pattern>/loginfilter</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LogoutService</servlet-name>
<servlet-class>com.gasban.server.LogoutServiceImpl</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>LogoutService</servlet-name>
<url-pattern>/logoutservice</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>0</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>VCarCli site</web-resource-name>
<description>Un ejemplo de configuración de seguridad que solamente permite a los usuarios con rol
JBossAdmin acceder a VCarcli
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login_failed.html</form-error-page>
</form-login-config>
<realm-name>vcarcli-policy</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
</web-app>
Can anyone help me please ?