I was looking around for logout tips/practices on the
forums, and I found this thread from a while ago – http://forum.springframework.org/viewtopic.php?t=5407&highlight=logout So, as I understand this, setting a new security context in
0.9 and up will effectively log out a user. The project I’m working
on, which is a bunch of portlets running under a portlet container. We are
using Acegi to manage object-level permissions in the various portlets using
ACL. Since the changes to the user are not written back to the session
until the end of the request – the changes do not take effect for that initial
request. On a standard webapp, this would normally not be an issue because
the page could easily forward to a “logout” page or something, and
then all future requests would be processed as usual. However, with portlets, since we have Portlet A, Portlet B,
and Portlet C and a Login/Logout Portlet all existing on one page, it works
differently. When I click the “logout” link on the
login/logout portlet, the user is indeed logged out, but since the user still
exists in session, Portlets A, B and C still render their views as if the user
was still logged in. It is not until the next web request (or a page
reload) that the views are updated correctly. I believe this occurs because of the two phase process (Action
then Render) process. The logout is executed in the Action phase, then
all Portlets are rendered, but because the user is not removed from session
until end of request, the Render phase still has the User in session visible,
and acts accordingly so. So from a user/developer point of view on
the web page, the user has logged out, but the data that is displayed in
portlets are still displaying as if the user was logged in. As more people start using Spring, and Acegi to build
portlet applications, I am quite certain this will become a common issue.
I plan to resolve this issue for the short term by explicitly clearing the
ACEGI context from the session in the Action phase. I do think that there
should be some re-consideration for a unified (or at least an endorsed)
strategy for clearing the user on logout from both the context and the
session. My understand of Acegi is still rather new – I’m
learning this stuff as I go, so if I have made any misassumptions, feel free to
correct me. I thought it’d be a good time to bring this up for
discussion w/ the devs. -tim |
- [Acegisecurity-developer] logout functionality Tim Kettering