Announcement Announcement Module
Collapse
No announcement yet.
Logout in acegi 1.0-RC2 Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logout in acegi 1.0-RC2

    Did anybody managed to make simple logout functionality with acegi framework? After reading some threads here and several hours of experiemnting I still cannot find solution.

    So, that I tried to do:

    1. I created logout servlet to process logout and added link to this servlet.

    2. Then I inserted followed code into doGet method:
    Code:
    i_request.getSession().invalidate();
    
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    o_response.addCookie(terminate);		
    o_response.redirect("index.jsp");
    but it doesn't work.

    3. Then I found solution with setting null context:
    Code:
    SecurityContextHolder.setContext(new SecurityContextImpl());
    but also didn't help.

    4. And finally I found solution with commencing entry point:
    Code:
    WebApplicationContext appContext = 
    WebApplicationContextUtils.getWebApplicationContext(i_request.getSession().getServletContext());
    assert appContext != null;
            
    		
    //get entryPointBean
    AuthenticationEntryPoint entryPoint = (AuthenticationEntryPoint)appContext.getBean("authenticationEntryPoint");
    assert entryPoint != null;
    		
    AuthenticationException authException = new AccountExpiredException("Logout user");
    entryPoint.commence(i_request, o_response, authException);
    And I've got login dialog in my browser! Great! But.... after loging in it tried to go to the current URL.... and it is my logout servlet.... so, it make logout one more time and display login page again and again and again and again....


    I tried to set AuthenticationProcessingFilter.ACEGI_SECURITY_TARG ET_URL_KEY to the index.jsp before, after and everythere - but it didn't help...

    so, for current moment my code of doGet is following:
    Code:
    protected void doGet(HttpServletRequest i_request, 
                                 HttpServletResponse o_response) throws ServletException, IOException {
    i_request.getSession().invalidate();
    
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    o_response.addCookie(terminate);		
    		
    SecurityContextHolder.setContext(new SecurityContextImpl());
    
    WebApplicationContext appContext = 
    WebApplicationContextUtils.getWebApplicationContext(i_request.getSession().getServletContext());
    assert appContext != null;
            
    //get entryPointBean
    AuthenticationEntryPoint entryPoint = (AuthenticationEntryPoint)appContext.getBean("authenticationEntryPoint");
    assert entryPoint != null;
    		
    AuthenticationException authException = new AccountExpiredException("Logout user");
    entryPoint.commence(i_request, o_response, authException);
    
    i_request.getSession().setAttribute(
        AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
        "index.jsp");
    }
    As you can see - I tried insert everything... but as maximal result I have looping of login dialogs....

    So, it seems to be not so big task to spend so much time to it.... May be I do something wronge? May somebody did manage to find an easy solution?

  • #2
    this snipper should do it,

    Code:
    request.getSession().invalidate(); //invalidate session
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    response.addCookie(terminate);
    //SecurityContextHolder.getContext().setAuthentication(null);  /*old*/
    SecurityContextHolder.clearContext(); //invalidate authentication

    Comment


    • #3
      No, it didn't help

      Unfortunatelly no

      If I will use only this code - empty "logout" page will be displayed. But if I will try to navigate to index.jsp - it will be opened without asking user-name/password.

      Same as if I will add redirect into this code:
      Code:
      i_request.getSession().invalidate();
      
      Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
      terminate.setMaxAge(0);
      o_response.addCookie(terminate);		
      		
      SecurityContextHolder.clearContext();
      
      o_response.sendRedirect("index.jsp");
      Brawser is navigated to the index.jsp without asking any new password.

      A little bit more information about my system:
      • Server: WinXP SP2, JBoss 4.0.3SP1, Java 1.5.0_06
      • Client (same computer) - FireFox 1.5

      Comment


      • #4
        A little bit more infromation

        And yes, I'm using last public acegi: acegi-1.0.0-RC2

        Comment


        • #5
          Use the code fragment posted (ie the clearContext() method). It will work. You shouldn't launch an AuthenticationEntryPoint manually. Just display a view that informs the user they've logged out. That should be enough.

          I suspect when you "logout", the user sees the "you've logged out" view and then in the same browser try the home page again, and it displays. This seems like an authorization failure, but it is almost always because of caching. When the "unauthorized" home page is displayed, click refresh and see what happens.

          If this problem persists, please post your DEBUG log showing what's taking place during logout, and then on the next "unauthorized" request.

          Comment


          • #6
            Is this issue closed?

            I have the same problem with `HTTP Digest Authentication'.
            (When I use `HTTP Form Authentication', I don't have.)

            Because DigestProcessingFilter, DigestProcessingFilterEntryPoint have no concern with session(or session ID), it seems the standard logout solution
            (i.e. session.invalidate(), SecurityContextHolder.clearContext(), ...) makes no sense.

            I wrote another implementation extending DigestProcessingFilter, DigestProcessingFilterEntryPoint, which I had changed `nonce' format like
            Code:
            base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key + sessionId))
            for checking sessionId, and it seemed enough for me, but I just don't think it's right manner...

            I'm using 1.0.0-RC2, too.
            (IE6, tomcat 5.0.28, Java 1.4.2_06, spring 1.2.7 on WinXP SP2.)

            Comment


            • #7
              I'm using an earlier release (0.9), but have a similar problem. I authenticate and things work great. Then I click on a link to logout, which calls an action that does this:

              request.getSession().invalidate();
              SecurityContextHolder.getContext().setAuthenticati on(null);

              Then it redirects to an insecure URL.


              After I logout and redirect, I go to the secure URL again and it goes directly there. The debug statement follows:

              context.HttpSessionContextIntegrationFilter (HttpSessionContextIntegrationFilter.java:177) - Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: 'net.sf.acegisecurity.context.SecurityContextImpl@ b9cca6: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@b9cca6: Username: net.sf.acegisecurity.providers.dao.User@827d5f: Username: jeremy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@2 add07: RemoteIpAddress: 127.0.0.1; SessionId: 59B412E798F2CB608DE0A83437302D32; Granted Authorities: ROLE_ADMIN'


              I had already tried clearing the cache and refreshing the page, but it still grants access to the URL.

              Any thoughts as to why? Maybe I'm understanding the process incorrectly.

              Comment


              • #8
                There isn't enough log information here to really see what's happpening, but have you verified that the session has actually been invalidated? Do you get a new session Id the second time round?

                And you don't say what type of authentication you are using... e.g. are you using BASIC authentication where the browser will automatically resubmit the login information?

                Comment


                • #9
                  I have been using the Form authentication and the in memory database of users.

                  I was calling a mapped action that was making the calls to invalidate the session and clear out the authentication object. When I tried to see if the session id had truly changed I found that my debug outputs were not outputting. After trying to debug it a bit more, it looked like the forwarding was working but the action's execute code was not being called. Pretty strange.

                  In any case, I simply created a logout.jsp file for the system that used the same calls and it worked fine.

                  Weird problem but I think I won't worry about it and just use the jsp for now.

                  Thanks for the help.

                  Comment


                  • #10
                    Issue is still opened

                    Itohh,

                    I think the problem is in using 'HTTP Digest Authentication', because in my case I'm using it and logout still doesn't work after all my experiments.

                    Could you explain a little bit more detail your solution?

                    Thank you!

                    Comment


                    • #11
                      I am having this same problem. I did not try adding logout functionality until I moved up to 1.0 RC2. I am using Tomcat 5.5.15. Web framework is Wicket 1.1. The logout link logic invalidates the session and calls clearContext(). I have tried setting the authentication object to null.

                      Here is the sequence of events.

                      1) Click the logout link
                      2) Wicket displays a session is no longer valid page with a link to the home page (I will address this later)
                      3) Click the home page link
                      4) Tomcat assigns a new session id
                      5) The home page displays with the same user information (I display the user name) w/o requiring another authentication step
                      6) I can click any of the navigation links from there and continue with the session as if nothing changed

                      Comment


                      • #12
                        It work if change
                        terminate.setMaxAge(0);
                        to
                        terminate.setMaxAge(-1);

                        Comment


                        • #13
                          still doesn't work for HTTP Digest Authentication

                          It is still doesn't work for HTTP Digest Authentication.
                          Currently my Logout servlet looks like:
                          Code:
                          		i_request.getSession().invalidate();
                          
                          		Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
                                  terminate.setMaxAge(-1);
                                  o_response.addCookie(terminate);		
                          		
                                  SecurityContextHolder.clearContext();
                          
                                  o_response.sendRedirect("index.jsp");
                          and after navigation to logout it redirected to index.jsp and opened it without asking password...

                          seems logout is to difficult functionality for implementation ((

                          Comment


                          • #14
                            Simple logout solution that works...

                            In my jsp logoff page I put:

                            session.invalidate();
                            Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY _HASHED_REMEMBER_ME_COOKIE_KEY, null);
                            terminate.setMaxAge(0);
                            terminate.setPath(request.getContextPath() + "/");
                            response.addCookie(terminate);

                            I noticed that if the following line:
                            terminate.setPath(request.getContextPath() + "/");
                            is not present and you use the remember me service
                            you won't get logged off... I also noticed that if the + "/" is not present
                            you won't log off either...
                            So this line seems to be vital.

                            Hope this helps... and if you find out why this "/" is requiered... I am interested.

                            regards,

                            Nicolas.

                            Comment


                            • #15
                              It not working for me.

                              Comment

                              Working...
                              X