cheb1k4 cheb1k4 - 24 days ago 16
Java Question

JAAS logout does not work for custom login module

In my Java EE application running on a WildFly 9 server, I have a custom login module:

public class MyLoginModule extends AbstractServerLoginModule {

private Principal identity;

@Override
public boolean login() throws LoginException {
// do something
identity = new SimplePrincipal("test");
subject.getPrincipals().add(identity);
// do something else
return true;
}

@Override
public boolean logout() throws LoginException {
subject.getPrincipals().remove(identity);
return true;
}
}


The
login
method works as expected. But it's not the same with the
logout
method. When I write something like
request.getSession(false).invalidate();
from a
Servlet
or a web service, the
logout
method is nerver reached.

Here my configuration files:

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">

<display-name>customer-area</display-name>

<security-constraint>
<web-resource-collection>
<web-resource-name>restricted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>*</role-name>
</security-role>

<login-config>
<auth-method>MY-AUTH</auth-method>
</login-config>

</web-app>


jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/MySecurityDomain</security-domain>
</jboss-web>


standalone.xml

<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="mypackage.MyLoginModule" flag="required"/>
</authentication>
</security-domain>


ServletExtension
class:

public class MyServletExtension implements ServletExtension {

@Override
public void handleDeployment(final DeploymentInfo deploymentInfo, ServletContext servletContext) {

deploymentInfo.addAuthenticationMechanism("MY-AUTH", new AuthenticationMechanismFactory() {
@Override
public AuthenticationMechanism create(String mechanismName, FormParserFactory formParserFactory, Map<String, String> properties) {
return new MyAuthenticationMechanism();
}
});
}
}


AuthenticationMechanism
class:

public class MyAuthenticationMechanism implements AuthenticationMechanism {

@Override
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {

PasswordCredential credential = new PasswordCredential(new char[] {});
Account account = identityManager.verify("test", credential);
if (account != null) {
return AUTHENTICATED;
} else {
return NOT_AUTHENTICATED;
}
}
}


Did I miss something ?

Answer

The method which allow to reach MyLoginModule.logout() is request.logout(). I should have find it by myself!