[
https://issues.apache.org/jira/browse/ISIS-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan-Willem Gmelig Meyling updated ISIS-1434:
--------------------------------------------
Description:
I have some files that I have stored in the resource folder, which I only want
to be available for authenticated users. So I have added the following contents
to my shiro.ini file:
[main]
authc.loginUrl = /wicket/signin
[urls]
/dist/** = authc
When I am not authenticated, retrieving a page from that folder correctly
brings me to Wicket. After logging in, the resource becomes available. However,
when I log out, either through the TertiaryActionsPanel in Wicket, or using the
logout call from the UserResource, it seems that my cookie is not cleared. I am
logged out from Wicket, but I can still access the resources (until I clear my
cookie on client side).
In this case i'm trying to protect a few resources, which is a kind of
ridiculous use case, but I think that this also applies for other servlet
filters, which may lead to some unwanted results.
was:
I have some files that I have stored in the resource folder, which I only want
to be available for authenticated users. So I have added the following contents
to my shiro.ini file:
```
[main]
authc.loginUrl = /wicket/signin
[urls]
/dist/** = authc
```
When I am not authenticated, retrieving a page from that folder correctly
brings me to Wicket. After logging in, the resource becomes available. However,
when I log out, either through the TertiaryActionsPanel in Wicket, or using the
logout call from the UserResource, it seems that my cookie is not cleared. I am
logged out from Wicket, but I can still access the resources (until I clear my
cookie on client side).
In this case i'm trying to protect a few resources, which is a kind of
ridiculous use case, but I think that this also applies for other servlet
filters, which may lead to some unwanted results.
> Cookie not cleared after logout, Shiro session remains active
> -------------------------------------------------------------
>
> Key: ISIS-1434
> URL: https://issues.apache.org/jira/browse/ISIS-1434
> Project: Isis
> Issue Type: Bug
> Components: Core: Security: Shiro
> Affects Versions: 1.12.1
> Environment: OSX
> Reporter: Jan-Willem Gmelig Meyling
> Assignee: Dan Haywood
> Priority: Minor
>
> I have some files that I have stored in the resource folder, which I only
> want to be available for authenticated users. So I have added the following
> contents to my shiro.ini file:
> [main]
> authc.loginUrl = /wicket/signin
>
> [urls]
> /dist/** = authc
> When I am not authenticated, retrieving a page from that folder correctly
> brings me to Wicket. After logging in, the resource becomes available.
> However, when I log out, either through the TertiaryActionsPanel in Wicket,
> or using the logout call from the UserResource, it seems that my cookie is
> not cleared. I am logged out from Wicket, but I can still access the
> resources (until I clear my cookie on client side).
> In this case i'm trying to protect a few resources, which is a kind of
> ridiculous use case, but I think that this also applies for other servlet
> filters, which may lead to some unwanted results.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
