I did notice this part of his response but it is not obvious to me how I
make this modification to my Grails app.
Les Hazlewood wrote:
Oops - you might have missed Jeremy's response:
"In my case, Spring was calling request.getUserName(), which under the hood
called JSecurity's getSubject(). To stop this from happening I had to set
the publishEvents init-param to false on my Spring DispatcherServlet, which
stopped Spring from calling the getUserName() function."
Try that. We'll get on the issue and fix it.
Thanks,
Les
On Fri, Feb 6, 2009 at 8:49 PM, Brad Whitaker <[email protected]> wrote:
Thanks for the response. This is a blocker for me. I disabled all of my
explicit getSubject() calls but perhaps something else is still making the
invocation. Would any Spring application be making this call? (In other
words, would any Grails app being making the same call that you saw?)
Thanks,
Brad
Jeremy Haile wrote:
I just ran into this same problem. I think it is a JSecurity bug. The
problem is that if any methods invoke getSubject() after logout() is called,
but during the same request, a new subject will be created. But since the
remember me cookie is still present, the subject gets created in the new
Session with the remembered principals.
The problem doesn't occur if getSubject() isn't called after logout(). In
my case, Spring was calling request.getUserName(), which under the hood
called JSecurity's getSubject(). To stop this from happening I had to set
the publishEvents init-param to false on my Spring DispatcherServlet, which
stopped Spring from calling the getUserName() function.
Still - this shouldn't be necessary and I think the onus is on JSecurity
to figure out how to make this not happen. Perhaps we can set a request
attribute that causes the remember me cookie to not be honored for the
remainder of that request. Any other ideas for how to work around this
problem?
I filed a bug report here: https://issues.apache.org/jira/browse/JSEC-57
Jeremy
On Feb 6, 2009, at 6:26 PM, Brad Whitaker wrote:
I'm having a problem that I don't fully understand. After I invoke
logout() the subject.principal becomes null as expected, but upon redirect
the subject.principal is no longer null -- the user is remembered again. The
log messages from JSecurity indicate a rememberMe cookie has been found when
I think it probably shouldn't be found.
The issue does not occur in my devel environment (Grails, HSQLDB) but
only in production (Tomcat, MySql, war deployed as ROOT). My signout code
does this:
log.info "signout: enter:
getPrincipal=${SecurityUtils?.getSubject()?.getPrincipal()}"
SecurityUtils.subject?.logout()
log.info "signout: after logout:
getPrincipal=${SecurityUtils?.getSubject()?.getPrincipal()}"
redirect(controller: 'home')
My log shows this. (You'll notice that I have several 'before' and
'after' filters)
02/06 15:10:57 INFO grails.app.controller.AuthController -
signout: enter: [email protected]
02/06 15:10:57 DEBUG org.jsecurity.web.attr.CookieAttribute - No
value found in request Cookies under cookie name [rememberMe]
02/06 15:10:57 INFO grails.app.controller.AuthController -
signout: after logout: getPrincipal=null
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
after: controller=auth action=signOut params=["action":"signOut",
"controller":"auth"] principal=null
02/06 15:10:57 DEBUG org.jsecurity.web.attr.CookieAttribute - Found
string value
[clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIG9RSOrT+nlejddqoRsTWWmEAWUuaOV3tZLci69POQ5k]
from HttpServletRequest Cookie [rememberMe]
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
before: controller=home action=null params=["controller":"home"]
[email protected]
02/06 15:10:57 INFO grails.app.filters.SslFilters - DebugFilter:
after: controller=home action=index params=["controller":"home"]
[email protected]
Is this a bug in JSecurity or am I doing something wrong? Is there a work
around for this?
Thanks,
Brad
