Hi,
Seem to be having an issue where identity retains roles after calling
Identity.logout().
I'm using web services as well, so this may have something to do with it. Here
is the log output -
| 11:49:06,056 INFO [AuthenticatorHelper] logging in a, b via WS
| 11:49:06,075 INFO [Authenticator] authenticating a, b
| 11:49:09,031 INFO [Authenticator] Logged in?:true, Has admin role?:true
| 11:49:09,038 INFO [AuthenticatorHelper] Checking via restricted
webServices, in appropriate role: true
| 11:49:10,794 INFO [Authenticator] logging out
| 11:49:12,433 INFO [Authenticator] Logged in?:false, Has admin role?:true
| 11:49:12,436 INFO [AuthenticatorHelper] Checking via restricted
webServices, in appropriate role: true
|
for this code
| @Stateless
| @WebService
| @Name("authenticator")
| public class Authenticator implements AuthenticatorLocal,
AuthenticatorRemote {
| @Logger Log log;
|
| @In Identity identity;
|
| /*
| * This method is registered as the login callback in components.xml -
| * Call to identity.login() in AuthenticatorHelper below results in
this method being called.
| */
| public boolean authenticate() {
| log.info("authenticating #0, #1", identity.getUsername(),
identity.getPassword());
|
| identity.addRole("admin");
| return true;
| }
|
| @WebMethod
| public boolean logout() {
| log.info("logging out");
| if(identity.isLoggedIn()) identity.logout();
| return !identity.isLoggedIn();
| }
|
| @WebMethod
| public boolean loginWS(String username, String password) {
| AuthenticatorHelper helper = (AuthenticatorHelper)
Component.getInstance(AuthenticatorHelper.class, true);
| return helper.loginWS(username, password);
| }
|
| @WebMethod
| //@Restrict("#{s:hasRole('admin')}")
| public boolean checkMeWS() {
| log.info("Logged in?:#0, Has admin role?:#1",
identity.isLoggedIn(), identity.hasRole("admin"));
| AuthenticatorHelper helper = (AuthenticatorHelper)
Component.getInstance(AuthenticatorHelper.class, true);
| return helper.checkMeWS();
| }
| }
|
| ========================================
|
| @Name("authenticatorHelper")
| public class AuthenticatorHelper {
| @Logger Log log;
| @In Identity identity;
|
| @Restrict("#{s:hasRole('admin')}")
| public boolean checkMeWS() {
| log.info("Checking via restricted webServices, in appropriate
role: " + Identity.instance().hasRole("admin"));
| return identity.isLoggedIn();
| }
|
| public boolean loginWS(String username, String password) {
| log.info("logging in #0, #1 via WS", username, password);
| identity.setUsername(username);
| identity.setPassword(password);
| identity.login();
| return identity.isLoggedIn();
| }
| }
|
There are three separate web service calls there, but I'm struggling to see how
the third one could still show the admin role. The documentation for
Identity.logout() is a bit sparse - so I'm taking a guess as to what it
actually does, but I would expect it to invalidate the session, and lose any
role information. Any ideas?
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4105714#4105714
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4105714
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
