Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-876

Web initiated logout doesn't clear authenticated identity in EJB

    Details

      Description

      After having authenticated via JASPIC, calling HttpServletRequest#logout and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

      Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out.

      As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps:

      SecurityContextAssociation.clearSecurityContext();
      SecurityRolesAssociation.setSecurityRoles(null);
      

      A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java

      For WildFly 8.2 this will print:

      web username: test
      EJB username: test
      web username after logout: null
      EJB username after logout: test
      

      For GlassFish 4.0/4.1 this will print:

      web username: test
      EJB username: test
      web username after logout: null
      EJB username after logout: ANONYMOUS
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                arjant Arjan t
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: