[
https://issues.apache.org/jira/browse/ISIS-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346903#comment-15346903
]
Dan Haywood commented on ISIS-1434:
-----------------------------------
Thanks for providing this example. Also, the details about using Shiro to
secure resources is useful; I'll add it to our docs.
Anyway, I took your example and initially I thought it demonstrated the issue -
that after logout via wicket that the /dist/xxx resources were still available.
However, if I did a force reload (ignore cache) then it took me to the signin
page. This was without invalidating the shiro session.
That said, I do think it is correct that the shiro session should be
invalidated... ie SubjectUtils.getSubject().logout(). So I've gone ahead and
done this.
A note of caution though ... even with this implemented I find that I can
access the /dist/xxx after logout, because the browser serves the resource from
the cache. Doing a force reload correctly redirects to the signin page.
If the resources absolutely must not be available after login, then I think a
suitable cache expiry header would be required, eg decorated via a filter etc.
> Cookie not cleared after logout, Shiro session remains active
> -------------------------------------------------------------
>
> Key: ISIS-1434
> URL: https://issues.apache.org/jira/browse/ISIS-1434
> Project: Isis
> Issue Type: Bug
> Components: Core: Security: Shiro
> Affects Versions: 1.12.1
> Environment: OSX
> Reporter: Jan-Willem Gmelig Meyling
> Assignee: Dan Haywood
> Priority: Minor
> Fix For: 1.13.0
>
>
> I have some files that I have stored in the resource folder, which I only
> want to be available for authenticated users. So I have added the following
> contents to my shiro.ini file:
> {code}
> [main]
> authc.loginUrl = /wicket/signin
>
> [urls]
> /dist/** = authc
> {code}
> When I am not authenticated, retrieving a page from that folder correctly
> brings me to Wicket. After logging in, the resource becomes available.
> However, when I log out, either through the TertiaryActionsPanel in Wicket,
> or using the logout call from the UserResource, it seems that my cookie is
> not cleared. I am logged out from Wicket, but I can still access the
> resources (until I clear my cookie on client side).
> In this case i'm trying to protect a few resources, which is a kind of
> ridiculous use case, but I think that this also applies for other servlet
> filters, which may lead to some unwanted results.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
