Announcement Announcement Module
Collapse
No announcement yet.
How to remove the x509 certificate after logout Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to remove the x509 certificate after logout

    Hi,

    I am using Spring x509 support for client-auth with JBoss server.
    I have the implemented a UserDetailsService and added the <x509/> element to the http security namespace config as shown here: http://static.springsource.org/sprin...ence/x509.html

    It works as expected. However when I try to logout, and then access a protected page again, it lets me access it.

    I have tried to logout using the <logout> element and setting the invalidate-session as true

    <logout logout-success-url="/myPath" invalidate-session="true"/>

    But it doesn't seem to invalidate the session as when I try to access a page, it doesnt prompt me to select the certificate, and uses the earlier certificate and lets me access the protected pages.

    I also tried to write my own LogoutHandler implementing the Spring LogoutHandler interface. In that I am clearing the Spring SecurityContextHolder and also invalidating the httpSession

    SecurityContextHolder.clearContext();
    request.getSession().invalidate();

    I still see the same issue. On debugging I see that even in the new request, the x509 cert is placed as an attribute and hence available and being used. How do I prevent that from happenning?

  • #2
    Once expressed which certificate to use from your browser the browser will remember that (depending on the browser and the settings). So you do logout but as soon as you request another page you login again...

    Comment


    • #3
      Isnt that a problem? Assuming the user goes away from the machine thinkning that he has logged out and another user clicks on the secured page link. Is there a particular setting in the browser that can be used to prevent this?

      Comment


      • #4
        The same applies to basic and digest authentication, the headers are send with each request so logging out doesn't work. The only thing that works (probably) is to close the browser...

        Comment

        Working...
        X