tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arjan Tijms (JIRA)" <j...@apache.org>
Subject [jira] [Created] (TOMEE-1805) HttpServletRequest#logout doesn't clear authenticated identity in EJB
Date Wed, 11 May 2016 21:44:13 GMT
Arjan Tijms created TOMEE-1805:
----------------------------------

             Summary: HttpServletRequest#logout doesn't clear authenticated identity in EJB
                 Key: TOMEE-1805
                 URL: https://issues.apache.org/jira/browse/TOMEE-1805
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 7.0.0
            Reporter: Arjan Tijms


After having authenticated via JASPIC, calling {{HttpServletRequest#logout}} from a [Servlet|https://github.com/javaee-samples/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java]
and then requesting the caller/user principal (all within the same request), TomEE 7.0.0-SNAPSHOT
from 05-05-2016 will correctly clear out the principal for the web context, but will NOT clear
out the principal for the EJB context.

A test case exists at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/ejb-propagation

To reproduce it, deploy the ejb-propagation war to TomEE and request http://localhost:8080/jaspic-ejb-propagation/public/servlet-public-ejb-logout?doLogin=true

The result that's printed is:

{noformat}
web username: test
EJB username: test
web username after logout: null
EJB username after logout: test
{noformat}

The EJB username after the logout should not be "test".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message