On Wed 02 Nov 2011 09:52:24 AM CDT, Bengt Rodehav wrote: > I'm using Shiro together with the http service in Apache Karaf which > in turn uses Jetty under the hood. I use Shiro 1.1. > > I've created my own AuthorizingRealm since we have a legacy system > that I redirect the authentication to. This seems to work and I can > get the currently logged in user as follows: > > Subject subject = SecurityUtils.getSubject(); > > When calling the "isAuthenticated" method I can see that the user is > logged in. > > However, on each call from the web browser to my web application, a > new authentication is being made. This means that I can't really log > out the user neither explicitly nor by session timeout. If I call > > subject.logout() > > I can see that the user is indeed logged out since "isAuthenticated" > then returns false. But on the next request from the web browser the > user is authenticated again and a new session is created. If I restart > the web browser then I have to login again but as long as the web > browser is running the user seems to be automatically > re-authenticated. I use basic authentication and the behaviour is the > same in both Chrome and Firefox. > > Obviously I haven't understood how these things work. Can anyone > explain to me how I can log out a user both explicitly and via session > timeout? > > /Bengt
If I understand what you're describing correctly, you are running into a browser behavior. Typically, when using HTTP BASIC authentication, the browser will cache the user's name and password, and send the auth header with every single request. This is very useful behavior for stateless webapps that require authentication. It's less useful when you're already tracking a known user. Unfortunately, I know of no way to alter this behavior. One thing you could try is, when logging a user out, return a 401. This should cause the browser to re-ask the user for a username/password, which they could cancel. So, while that's the best that I can offer, it sounds like a crappy UI. If you have a page-based, user-navigable webapp, you might consider using form authentication instead of basic. It avoids this issue completely. Sorry I could not be of more help. -Jared
