Announcement Announcement Module
Collapse
No announcement yet.
Does SecurityContextLogoutHandler really invalidates session ? ( Acegi 1.0.3+) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does SecurityContextLogoutHandler really invalidates session ? ( Acegi 1.0.3+)

    Hello all,

    I am using acegi with my web app and I recently set up the logout filter to perform user logout and session invalidation.
    I saw that session invalidation property has been set up since 1.0.3 so I ensured my self that I have this version.

    Well, put this stuff in place, and at first sight it seemed that everiyhing was working correctly: I set up a my filterProcessesUrl to an URL called /logout.do, and put a link on my page.
    In my web app, I have put interceptors on different controller, to redirect the user to a role specific page if his session is invalid or incomplete. This allows me to check if the session has been correctly invalidated.

    So, I logged in to my web app, browse a page, then logout. Then I try to access a protected page, and, since the session has been invalidated I am redirected to my specific home page. Everything looks fine, the logout filter has removed my sessions data from my session. And, the session has been certainly invalidated. Taking a look at the log shows me this:

    Code:
    11:39:06,249 DEBUG [FilterChainProxy] [doFilter] /logout.do at position 1 of 2 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSess
    ionContextIntegrationFilter@89e0ef'
    11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHo
    lder: 'org.acegisecurity.context.SecurityContextImpl@1eb52b5b: Authentication: [email protected]eb52b5b: User
    name: org.acegisecurity.userdetails.User@0: Username: testEmployeur; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true;
    AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEUR; Password: [PROTECTED]; Authenticated: true; Details: {_internal-iam-roles-key=[Ljava.lang.String
    ;@18159b2}; Granted Authorities: ROLE_EMPLOYEUR'
    11:39:06,265 DEBUG [FilterChainProxy] [doFilter] /logout.do at position 2 of 2 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.Logout
    Filter@e87e8'
    11:39:06,265 DEBUG [LogoutFilter] [doFilter] Logging out user '[email protected]eb52b5b: Username: org.acegisecurity.userdetails.User@0: Username: xvdtst033; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEUR; Password: [PROTECTED]; Authenticated: true; Details: {_internal-iam-roles-key=[Ljava.lang.String;@18159b2}; Gran
    ted Authorities: ROLE_EMPLOYEUR' and redirecting to logout page
    11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
    11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] SecurityContextHolder set to new context, as request processing completed
    This seems OK to me, even if I'm not sure to understand the two last lines.

    But, after this, I take a look at my weblogic console to monitor the sessions for my webapp. And, I realize that I still have 1 open session. If go back to my login page, I see another session opening, now, my bweblogic tells me 2 open session, etc... .

    Maybe I am missing something? I had a look on Weblogic documentation to understand how weblogic "recycles" or "remove" invalidated session, but I could not find anything.

    Could someone tell me if he encounter the same behaviour with another application server? Or is this a normal behaviour when invalidating sessions ?
    I also tried to change my filterInvocationDefinitionSource chain, but with no real success.

    Thanks for your help.

  • #2
    Not even an idea ?
    Could someone using logoutFilter and another webserver try to reproduce it please?

    Comment


    • #3
      If you follow the code through, you can see that invalidate is called on the session. Whatever the container then does with this is really out of Acegi's control.

      Comment


      • #4
        Thanks for your help.
        well I solved my problem, this was not a problem with the SecurityContextLogoutHandler. In fact, my logout page was a JSP page, and weblogic creates another session each time a session page is called.
        So, my session was correctly invalidated, but another one was created just after.

        I also had another problem with one of my filters (a logging filter) which created a new session.

        Thanks again, sorry for the convenience.

        Comment


        • #5
          Not a problem. It's nice to have some closure on these things. Atleast it's clear there isn't a bug in the framework anyway .

          Comment

          Working...
          X