[Acegisecurity-developer] logout functionality

[Tim Kettering]

I was looking around for logout tips/practices on the forums, and I found this thread from a while ago –   http://forum.springframework.org/viewtopic.php?t=5407&highlight=logout   So, as I understand this, setting a new security context in 0.9 and up will effectively log out a user.  The project I’m working on, which is a bunch of portlets running under a portlet container.  We are using Acegi to manage object-level permissions in the various portlets using ACL.    Since the changes to the user are not written back to the session until the end of the request – the changes do not take effect for that initial request.  On a standard webapp, this would normally not be an issue because the page could easily forward to a “logout” page or something, and then all future requests would be processed as usual.    However, with portlets, since we have Portlet A, Portlet B, and Portlet C and a Login/Logout Portlet all existing on one page, it works differently.  When I click the “logout” link on the login/logout portlet, the user is indeed logged out, but since the user still exists in session, Portlets A, B and C still render their views as if the user was still logged in.  It is not until the next web request (or a page reload) that the views are updated correctly.    I believe this occurs because of the two phase process (Action then Render) process.  The logout is executed in the Action phase, then all Portlets are rendered, but because the user is not removed from session until end of request, the Render phase still has the User in session visible, and acts accordingly so.   So from a user/developer point of view on the web page, the user has logged out, but the data that is displayed in portlets are still displaying as if the user was logged in.   As more people start using Spring, and Acegi to build portlet applications, I am quite certain this will become a common issue.  I plan to resolve this issue for the short term by explicitly clearing the ACEGI context from the session in the Action phase.  I do think that there should be some re-consideration for a unified (or at least an endorsed) strategy for clearing the user on logout from both the context and the session.    My understand of Acegi is still rather new – I’m learning this stuff as I go, so if I have made any misassumptions, feel free to correct me.  I thought it’d be a good time to bring this up for discussion w/ the devs.   -tim