Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
None
-
None
Description
After having authenticated via JASPIC, calling HttpServletRequest#logout and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.
Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out.
As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps:
SecurityContextAssociation.clearSecurityContext();
SecurityRolesAssociation.setSecurityRoles(null);
A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java
For WildFly 8.2 this will print:
web username: test EJB username: test web username after logout: null EJB username after logout: test
For GlassFish 4.0/4.1 this will print:
web username: test EJB username: test web username after logout: null EJB username after logout: ANONYMOUS
