[
http://java.net/jira/browse/JASPIC_SPEC-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=356348#action_356348 ]
arjan tijms commented on JASPIC_SPEC-6:
---------------------------------------
After investigating what the most well known implementations (JBoss, GlassFish, Geronimo, WebLogic and WebSphere) do, it appears that in none of them {{HttpServletRequest#logout}} causes any method on a SAM to be invoked, except for Geronimo. In Geronimo calling {{logout()}} causes {{cleanSubject()}} on the SAM to be invoked.
p.s. JASPIC_SPEC-4 also mentions logout.
> Support for HttpServletRequest#logout
> -------------------------------------
>
> Key: JASPIC_SPEC-6
> URL: http://java.net/jira/browse/JASPIC_SPEC-6
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: arjan tijms
>
> Servlet 3.0 introduced the [HttpServletRequest#logout|http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()] method.
> Invoking this method does not seem to cause any method on a configured auth module to be invoked. This makes it impossible for an auth module to fully manage the authentication session. A specific use case is the implementation of a "remember me" functionality. For this the auth module can e.g. insert a cookie into the response after a successful initial authentication. This cookie should then live beyond a session expiration, but has to be removed when a user explicitly log outs.
> Without the auth module being notified of such an explicit logout invocation, there is no opportunity to remove said cookie.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira