• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Logout in JSF with Security managed by Glassfish v3.1

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I havent found a real solution for this problem, even when it is really common...

I have this context:

- JSF application running on Glassfish Server v3.1, JDK6. All in my personal computer with WinVista (This last should not be important).
- Using SSL and Basic authentication (Security of the container)
- I have done my logout() method in my backing bean invalidating the session and sending a redirect.

I can not make the container show again the Login box to validate the user, and be able to change of user... And my user always can go back, pressing the BACK button in the browser or just writing the URL, and continue doing thnigs there when is supposed that there should not be a existing session.

I am getting the name of the user the my backing bean is created:



And I use this name to perform operations...

Then for logout my xhtml has the code:



That calls this method in my bean::



I am declaring my backing bean with:



...Also I was doing the redirect from the the deployment descriptor... and it was the same.

If I close the browser the the session is lost and the container ask me again for user/pass.

Any suggestions?

Thanks a lot!

Alejandro.
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is one of those things where it helps to see what you're doing, but I have my suspicions, so let me explain How Things Work and see if they suggest anything.

The first thing to realize is that having a session isn't the same thing as being logged in, although to log out, you destroy the session. JSF tends to accentuate that, since it requires more use of session-scope objects than most J2EE frameworks.

The second thing to realize is that J2EE container-managed security is based on incoming URLs. If you submit an unsecured URL, you won't be prompted for login, but if you submit a secured URL, you will, regardless of where you jumped in from. And it's worth noting that it is the URL that's being secured, not the backing beans or other internal objects. This can cause grief in JSF, where the URL you use isn't always the one primarily attached to the View in question.

The third thing to realize - and this is probably where your problem lies - is that BASIC security is tied to your browser. There's really no way to log out of a BASIC security session except to shut down your browser. Not even closing the application window is sufficient.

This last item is one of several reasons why most J2EE container-secured apps use FORM based authentication instead of BASIC authentication.
 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Alejandro...

I have developed a logout feature in the JSF 2.0 but without SSL . what I did was to invalidate the session and return it back to the home page . It has worked fine so far...

public String logoutUser() {
try {
HttpSession session = getRequest().getSession(true);
session.invalidate();
loggedIn = false;
} catch (Exception e) {
logger.log(Level.SEVERE, "Exception " + e);
}
return "homepage";
}

Here , I have an extra flag called loggedIn to make sure if the user is still logged in .

Hope it helps .

:-)

 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Sarah!

Alejandro is using J2EE's built-in Container Manager security system. It is always possible to tell if you're logged in under this system by simply looking at the HttpServletRequest. If the userId and UserPrincipal properties are null, the user is not logged in. Otherwise, the user is logged in. These properties operate in parallel, so when one is null, so is the other.

Your sample code omits something critical, which is the location of your "loggedIn" variable. It obviously isn't in the session, since logging out destroys the session. If you implement it as a backing bean property, the backing bean has gone out of scope when the session is destroyed. If you put it in a static class, a single instance would apply for all users, which would be a serious issue if you have more than one person logged in at once. And if you put it in a class instance, it's probably going to be shared in a multi-threaded environment, which leads to basically the same problem as putting it in a static class.
 
Sarah Timberlake
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim...
well thats true ... may be something can be done in Session Listener...

public void sessionDestroyed(HttpSessionEvent se) {
HttpSession session = se.getSession();
// codes here...
}

I believe the data can be collected here just before the session is destroyed... I am focusing more on how not to let the user go back into the previous loggedin mode after the logout (ofcourse it has some tradeoffs)
and I am totally with you on "There's really no way to log out of a BASIC security session except to shut down your browser".

Thanks
 
Sarah Timberlake
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One more option ... instead of using managedBean we can use ejb session bean as a one in JSF 2.0 and EJB 3.1 . That way , we don't need to go through managedbean at all and hence can get rid of the abovementioned shortcomings ....
 
Fidel Alejandro Torrealba V
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!!! Thank you so much for all your answers.

I took some days off... and did not reply this thread.

I just want to share my solution.

Basic authentication is bound to the browser, and once you have done login, should should close the browser to finish the logoff... what is not so elegant.

I changed to FORM authentication, creating my form, and posting the user information to a servlet who validates the user credentials against my realm, and this servlet redirect the user to either the application or to an error page. Obviously the proper configuration ifor security-constrain in web.xml have to be done.

I am sharing my solution here:

Login page:



My validation servlet method:


And the required part of the configuration file....


I hope this can be useful for someone else.

All the best,

Alejandro.

 
After some pecan pie, you might want to cleanse your palatte with this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic