I believe you are absolutely correct Laurie, because I've not yet seen a
way to get a handle to the LoginContext to call logout(). All we can do
is invalidate the session - which we do when the user logs out. This
removes the user principal from the request and indicates to JAAS that
the user is no longer authenticated meaning if they try to access a
protected resource they are prompted to log in again. Additionally,
while the core Request object has a setUserPrincipal(...) method, it is
not exposed by the HttpServletRequest Interface (and nor by the Wrapper
or Facade classes) so I can't even do it manually.
For background, we actually have two login pages: on is the login page
that is running inside our webapp that is running JAAS and POSTs to
j_security_check at form submission time. The other page is our
company's main website (Apache) and users can log in here too. What we
do is perform a GET (either Struts or JAAS does not like doing POSTS w/
parameters - it strips them off) to the default protected resource
inside our webapp. What I believe to happen is that JAAS detects that
the requested URI is protected so it redirects the user to the login
page. I have a large scriptlet block at the top of the JSP page which
looks for the login parameters (from the main website page) and uses
them to try and authenticate. If it fails, JAAS dumps the user back at
the webapp login page with the appropriate error message. If it
succeeds, the user is placed at the default (protected) webapp page (or
whatever page they originally requested).
All this works great and as designed. We have a LoginModule
implementation that is called implicitly by JAAS to authenticate the
user (the implementation ultimately uses database calls). The problem
occurs when someone goes back to our main website and tries to log in
again as user B when they are already authenticated as user A (i.e.,
they've not logged out). I believe JAAS takes a look at the request and
says "Ah! I see you're already authenticated and dumps the user back at
the default webapp page but with user A's credentials, not user B. In
this second case, the login page is never hit the second time which mean
I can't check to see if the session is already authenticated and force a
logout before logging in as the different user.
In my perusing of JAAS on the web I found the following comment:
"Although it is possible to use JAAS within Tomcat as an authentication
mechanism (JAASRealm), the flexibility of the JAAS framework is lost
once the user is authenticated. This is because the principals are used
to denote the concepts of "user" and "role", and are no longer available
in the security context in which the webapp is executed. The result of
the authentication is available only through request.getRemoteUser() and
request.isUserInRole()."
Hope that was clear.
--adam
Laurie Harper wrote:
I don't think Container Managed Security has provisions for logging
users out, other than by expiring the session (and not even then if
you're relying on HTTP authentication rather than form-based).
If you have a separate 'login' page (as opposed to having a login form
on each page) you might be able to get away with invalidating the
session when that page is shown, with the caveat that logged in users
would implicitly be logged out if they visit that page.
Perhaps it would help to more fully describe the use case (i.e. 'user
is logged in and tries to log in...' and how it is failing (i.e. 'user
stays logged in as old user'), along with specific details of how you
have authentication configured.
L.
Adam Gordon wrote:
If you mean protecting the page w/ a security constraint, I think
that would be a problem in that JAAS would detect that it's a
protected resource and prompt the user to log in before hitting the
login page and upon a successful login would redirect the user to the
login page after they've already logged in. And even if I modified
the login page to redirect to the default home page in the webapp,
the problem is when they try logging in as someone else without
logging out - JAAS/Tomcat detects that they are already logged in
(have an authenticated session) and so would bypass any
authentication mechanism.
--adam
Dale Newfield wrote:
Adam Gordon wrote:
We're using JAAS for webapp authentication and we've discovered an
issue: If user A is logged in and tries to log in as user B, they
stay logged in as user A.
Couldn't you protect the login form page and action so that they're
only accessible by a session without any valid login credentials?
That way the only way to log in as B would be to first log out as A
(or in some other way start a new session w/o A's credentials).
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
