aspose file tools*
The moose likes Security and the fly likes Unauthenticated Access to a Secured Resource? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Unauthenticated Access to a Secured Resource?" Watch "Unauthenticated Access to a Secured Resource?" New topic
Author

Unauthenticated Access to a Secured Resource?

Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
I'm working on a web application and I've run into an issue. I have secured the page "index.html" in my web application. Here's a snippet from my deployment descriptor:



This seems to work fine, initially. When I try to access index.html, I'm redirected to the login page. From there, I can log in to the application.

The problem really occurs when a user tries to log out or the user's session times out. When that happens, I send the user to a "logged out" page or a "session timed out" page. From there, I have a link so that the user can easily log back in to the application by going back to index.html.

The problem is that, when the user goes back to index.html, the user is not forced to authenticate again. Instead, the user goes right in to that page. Without authentication, I have no idea who the user is (their data is stored in the session) and I get errors from my web app when the user tries to access it.

Once the session expires (or is invalidated via "request.getSession().invalidate()"), shouldn't the user be forced to authenticate to any secured resources once again? I thought that was the case, but it doesn't seem to be.

Any suggestions?

Thanks,
Corey


SCJP Tipline, etc.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Corey,
There are multiple timeouts involved. There is the session timeout which is the one you are discussing. There is also a WebSphere timeout for WAS authentication. If you are using a third party tool like Siteminder or Netegrity, they have their own logout timeouts too.

Check to see that all of these are set to the same value. If one is more than the others, you run into a situation similar to the one you are describing.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Originally posted by Jeanne Boyarsky:
There is also a WebSphere timeout for WAS authentication.


As usual, Jeanne to the rescue.

I'm assuming that this is the problem. How can I set this value?

Also, when the user logs out, how can I flag them as "unauthenticated" to WAS so that they'll have to reauthenticate in order to get back into my web application?

Thanks,
Corey
Simon Brown
sharp shooter, and author
Ranch Hand

Joined: May 10, 2000
Posts: 1913
    
    6
You might also want to rule out the possibility that your web browser is caching the pages. To do this, you can place code like the following in your JSPs and/or servlets.



Good luck!
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Corey,
When logging a user out, you should do three things:
1) destroy HttpSession - session.invalidate()
2) Null out invocation credentials - new
ServerSideAuthenticator().setInvocationCredentials(null);
3) If using SSO, unset SSO cookie - new SSOAuthenticator().logout(req, res);

The WebSphere timeout for WAS authentication is in the admin console under the server. If I time today, I'll try to be more precise.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Corey,
Security --> Authentication Mechanisms --> LTPA. The fourth item down is the timeout I was referring to. It makes sense that this would be global to all servers.

"The time period in minutes at which an LTPA token will expire. This time period should be longer than cache timeout configured in the Global Security panel. "

It's the server that has an option to override the cache timeout (Servers --> Application Servers --> <App Server Name> --> Server Security -> Server Level Security) This one is also set in the global security defaults. As long as it is less than the LTPA timeout, it wouldn't be the cause of the problem.
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Thanks, Jeanne - that all works great.

I'm still having just one problem. If the user opts to log out prior to their timeout, how do I get rid of the LtpaToken cookie? When the user goes beyond the Ltpa timeout interval, that cookie is expired and causes the user to have to reauthenticate. But, how I do expire that cookie explicitly when the user chooses to log out, rather than being timed out?

I've tried expiring it in my Java code, like this:



That sets the max age to 0 successfully, but the cookie doesn't seem to actually expire, as I'd expect it to.

I've also tried deleting the cookie through JavaScript in my "you have logged out" page, but that doesn't seem to be working, either. Any ideas?

Thanks,
Corey
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Corey,
If you are using single sign on, the SSOAuthenticator.logout() call handles LPTA cookie deletion. Either way, it's a good idea to delete the cookie explicitly.

Don't you have to call response.addCookie() so the browser knows it has expired? If that doesn't work, try posting the cookie question in servlets.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Unauthenticated Access to a Secured Resource?