for an application managed authentication I use a derby database. In the UserBean the logout() method is called in case the user logs out. However, in the first code sample the session object is always null. If the declaration and definition of the variables facesContext and session is included inside the logout() method then it works (code sample 2)!? Shouldn't the session object be only once initialized and then stay the same for the duration of the session? Why is that?
Code sample 1:
Code sample 2:
Would the given logout() method be a good example (application managed authentication) of executing a logout or did I miss something? Will the server make the client to delete the cookie (on the client) or will the server just destroy the session object related to that specific client? How can I test the correct behaviour (e.g. check whether the correct object is being deleted)?
For container managed authentication would a logout method look the same as above?
Hints / questions on any of these questions much appreciated since I cannot find answers in the literature.
I could actually try and comprehend your question, but that's too much work too early in the morning. So I'll make some general observations and see if they fit.
In J2EE, there's a bit of a blur between a container-managed security session and HTTPsession. I think that starting in JEE, they've begun to make more of a distinction, but that's another matter.
In any event, in J2EE, the way to log out of a container-managed security session is to invoke session.invalidate(), as your examples do.
But sessions are more than just security. You MUST have (will be supplied with) an HttpSession when you're logged in with CMS, but you CAN have an HTTPSession without being logged in!
JSF tends to confuse the issue. If a JSF process logs out via session.invalidate(), the security session will be destroyed, as will any session data attributes such as session-scope bakcing beans. But JSF uses HTTPSession more frequently than other frameworks. For example, if you display a post-logout screen that references a session-scope backing bean, a NEW session will be created to contain it. This new session won't (yet) be secured - unless the post-logout screen is secured - and it won't have any of the previously-discarded session objects in it, but it will contain the new session objects.
An IDE is no substitute for an Intelligent Developer.
Joined: Jul 26, 2011
Thanks for the welcome and your answer, Tim!
Since I opened already another thread with a more specific question may I close this thread and link to the other? I will then include questions there.