[jetty-dev] Re: [jetty-user] JAASUserPrincipal loses roles after logoff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Re: [jetty-user] JAASUserPrincipal loses roles after logoff and login in SSO setup

From: Jan Bartel <janb@xxxxxxxxxxx>
Date: Wed, 12 Aug 2009 17:34:09 +1000
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
Organization: Webtide
User-agent: Thunderbird 2.0.0.22 (X11/20090608)

Henning,

OK, I've checked in a fix to jetty-6 svn trunk that may help you.
Here's the bug report for it:http://jira.codehaus.org/browse/JETTY-1077

Note that this fix was not particular to JAAS.

If you could build and test against jetty head, that would be great.

cheers
Jan

Jan Bartel wrote:

Henning,

A quick reply to let you know we're looking into this.

The SSO realm stuff has kind of atrophied over time and needs
some attention. I don't think the problem you're experiencing is
unique to the JAAS flavoured SSO realm.

Will post again when we've examined and updated the SSO realm.

thanks for the report,
Jan

Henning wrote:
Re-posting due to wrong mailing list. Sorry!
--------------------------------------------------------------

Hope that subject lines captures my observation.
I am using a number of web apps on Jetty 6.1.12 with SSO turned on, sothat users only need to login once, which works as expected.
There is also a logout feature, that simply invalidates the currentsession (of one app) and deletes the SSO cookie. From Jetty's debuglogs I can tell that the current user has indeed been logged out(considering UserRealm.logout(...) the effective logout). All otherapps recognize the logout.
Everything works as expected up to here.
When logging in again, at the same app I logged out from that one appjust works fine.
However, when switching over to any of the other apps, the user isrecognized but it lost all its role assignments.
It's as if there was an old principal still in that other apps session(that, I assume, did not get cleared at the logout).
When debugging the role check I see that when enteringSSOJAASUserRealm.getRoles(...) from a request to that other app, I seethat the subject contains no roles. When debugging a similar requestto the first, I see that all roles show up in the subject.
Is there a way to have the SSO logout invalidate all sessions?

Thanks,
  Henning



--
Jan Bartel, Webtide LLC | janb@xxxxxxxxxxx | http://www.webtide.com

Prev by Date: [jetty-dev] Jetty 7.0.0.RC3
Next by Date: [jetty-dev] jetty / tomcat application context
Previous by thread: [jetty-dev] Jetty 7.0.0.RC3
Next by thread: [jetty-dev] jetty / tomcat application context
Index(es):
- Date
- Thread

Breadcrumbs