I just ran into this same problem. I think it is a JSecurity bug.
The problem is that if any methods invoke getSubject() after logout()
is called, but during the same request, a new subject will be
created. But since the remember me cookie is still present, the
subject gets created in the new Session with the remembered principals.
The problem doesn't occur if getSubject() isn't called after
logout(). In my case, Spring was calling request.getUserName(), which
under the hood called JSecurity's getSubject(). To stop this from
happening I had to set the publishEvents init-param to false on my
Spring DispatcherServlet, which stopped Spring from calling the
getUserName() function.
Still - this shouldn't be necessary and I think the onus is on
JSecurity to figure out how to make this not happen. Perhaps we can
set a request attribute that causes the remember me cookie to not be
honored for the remainder of that request. Any other ideas for how to
work around this problem?
I filed a bug report here: https://issues.apache.org/jira/browse/JSEC-57
Jeremy
On Feb 6, 2009, at 6:26 PM, Brad Whitaker wrote:
I'm having a problem that I don't fully understand. After I invoke
logout() the subject.principal becomes null as expected, but upon
redirect the subject.principal is no longer null -- the user is
remembered again. The log messages from JSecurity indicate a
rememberMe cookie has been found when I think it probably shouldn't
be found.
The issue does not occur in my devel environment (Grails, HSQLDB)
but only in production (Tomcat, MySql, war deployed as ROOT). My
signout code does this:
log.info "signout: enter: getPrincipal=$
{SecurityUtils?.getSubject()?.getPrincipal()}"
SecurityUtils.subject?.logout()
log.info "signout: after logout: getPrincipal=$
{SecurityUtils?.getSubject()?.getPrincipal()}"
redirect(controller: 'home')
My log shows this. (You'll notice that I have several 'before' and
'after' filters)
02/06 15:10:57 INFO grails.app.controller.AuthController -
signout: enter: [email protected]
02/06 15:10:57 DEBUG org.jsecurity.web.attr.CookieAttribute - No
value found in request Cookies under cookie name [rememberMe]
02/06 15:10:57 INFO grails.app.controller.AuthController -
signout: after logout: getPrincipal=null
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
after: controller=auth action=signOut params=["action":"signOut",
"controller":"auth"] principal=null
02/06 15:10:57 DEBUG org.jsecurity.web.attr.CookieAttribute - Found
string value
[clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/
QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIG9RSOrT+nlejddqoRsTWWmEAWUuaOV3tZLci69POQ5k]
from HttpServletRequest Cookie [rememberMe]
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
before: controller=home action=null params=["controller":"home"]
[email protected]
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
after: controller=home action=index params=["controller":"home"]
[email protected]
Is this a bug in JSecurity or am I doing something wrong? Is there a
work around for this?
Thanks,
Brad
