This week's book giveaways are in the Cloud and AI/ML forums.
We're giving away four copies each of Cloud Native Patterns and Natural Language Processing and have the authors on-line!
See this thread and this one for details.
Win a copy of Cloud Native PatternsE this week in the Cloud forum
or Natural Language Processing in the AI/ML forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Unauthenticated Access to a Secured Resource?

 
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm working on a web application and I've run into an issue. I have secured the page "index.html" in my web application. Here's a snippet from my deployment descriptor:



This seems to work fine, initially. When I try to access index.html, I'm redirected to the login page. From there, I can log in to the application.

The problem really occurs when a user tries to log out or the user's session times out. When that happens, I send the user to a "logged out" page or a "session timed out" page. From there, I have a link so that the user can easily log back in to the application by going back to index.html.

The problem is that, when the user goes back to index.html, the user is not forced to authenticate again. Instead, the user goes right in to that page. Without authentication, I have no idea who the user is (their data is stored in the session) and I get errors from my web app when the user tries to access it.

Once the session expires (or is invalidated via "request.getSession().invalidate()"), shouldn't the user be forced to authenticate to any secured resources once again? I thought that was the case, but it doesn't seem to be.

Any suggestions?

Thanks,
Corey
 
author & internet detective
Posts: 39391
761
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
There are multiple timeouts involved. There is the session timeout which is the one you are discussing. There is also a WebSphere timeout for WAS authentication. If you are using a third party tool like Siteminder or Netegrity, they have their own logout timeouts too.

Check to see that all of these are set to the same value. If one is more than the others, you run into a situation similar to the one you are describing.
 
Corey McGlone
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Jeanne Boyarsky:
There is also a WebSphere timeout for WAS authentication.



As usual, Jeanne to the rescue.

I'm assuming that this is the problem. How can I set this value?

Also, when the user logs out, how can I flag them as "unauthenticated" to WAS so that they'll have to reauthenticate in order to get back into my web application?

Thanks,
Corey
 
sharp shooter, and author
Posts: 1913
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might also want to rule out the possibility that your web browser is caching the pages. To do this, you can place code like the following in your JSPs and/or servlets.



Good luck!
 
Jeanne Boyarsky
author & internet detective
Posts: 39391
761
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
When logging a user out, you should do three things:
1) destroy HttpSession - session.invalidate()
2) Null out invocation credentials - new
ServerSideAuthenticator().setInvocationCredentials(null);
3) If using SSO, unset SSO cookie - new SSOAuthenticator().logout(req, res);

The WebSphere timeout for WAS authentication is in the admin console under the server. If I time today, I'll try to be more precise.
 
Jeanne Boyarsky
author & internet detective
Posts: 39391
761
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
Security --> Authentication Mechanisms --> LTPA. The fourth item down is the timeout I was referring to. It makes sense that this would be global to all servers.

"The time period in minutes at which an LTPA token will expire. This time period should be longer than cache timeout configured in the Global Security panel. "

It's the server that has an option to override the cache timeout (Servers --> Application Servers --> <App Server Name> --> Server Security -> Server Level Security) This one is also set in the global security defaults. As long as it is less than the LTPA timeout, it wouldn't be the cause of the problem.
 
Corey McGlone
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, Jeanne - that all works great.

I'm still having just one problem. If the user opts to log out prior to their timeout, how do I get rid of the LtpaToken cookie? When the user goes beyond the Ltpa timeout interval, that cookie is expired and causes the user to have to reauthenticate. But, how I do expire that cookie explicitly when the user chooses to log out, rather than being timed out?

I've tried expiring it in my Java code, like this:



That sets the max age to 0 successfully, but the cookie doesn't seem to actually expire, as I'd expect it to.

I've also tried deleting the cookie through JavaScript in my "you have logged out" page, but that doesn't seem to be working, either. Any ideas?

Thanks,
Corey
 
Jeanne Boyarsky
author & internet detective
Posts: 39391
761
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
If you are using single sign on, the SSOAuthenticator.logout() call handles LPTA cookie deletion. Either way, it's a good idea to delete the cookie explicitly.

Don't you have to call response.addCookie() so the browser knows it has expired? If that doesn't work, try posting the cookie question in servlets.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!