users@glassfish.java.net

Re: LoginModule.logout() isn't called!

From: <glassfish_at_javadesktop.org>
Date: Mon, 06 Jul 2009 07:27:51 PDT

It doesn't look like there is any simple way to cause logout on your module, and no clear way to do so, using the same LoginContext on which the login was performed.
 
WebProgrammaticLogin.logout() calls LoginContextDriver.logout(), but the driver does not call logout on the jaas login context. Moreover the logincontext used for the login is no longer available, and as such the best that could be done is to call logout on another logincontext; acquired via the jaas apis. and using the subject from the "current" authentication state.

you should be able to achieve the same effect by doing the following:

Subject s = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
LoginContext lc = new LoginContext(jaasCtx,s, dummyCallbackHandler);
lc.logout()
 
assuming you have implemented logout in your login module, and given that you can accept that logout will be called on a different LoginContext instance (as noted above).
An anonymous doNothing impl of a CallbackHanlder can be passed as the dummyCallbackHandler.

you might also wish to submit an RFE requesting that (Web)ProgrammaticLogin be enhances such that its logout method calls LoginContextDriver.logout(), and that LoginContextDriver.logout() call LoginContext.logout().
you should also call (Web)ProgrammaticLogin.logout() in place of session.invalidate() to ensure that the request authentication state is reset.
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=354243