Search code examples
javajakarta-eejaaswildfly-9undertow

JAAS logout does not work for custom login module

In my Java EE application running on a WildFly 9 server, I have a custom login module:

public class MyLoginModule extends AbstractServerLoginModule {

    private Principal identity;

    @Override
    public boolean login() throws LoginException {
        // do something
        identity = new SimplePrincipal("test");
        subject.getPrincipals().add(identity);
        // do something else
        return true;
    }

    @Override
    public boolean logout() throws LoginException {
        subject.getPrincipals().remove(identity);
        return true;
    }
}

The login method works as expected. But it's not the same with the logout method. When I write something like request.getSession(false).invalidate(); from a Servlet or a web service, the logout method is nerver reached.

Here my configuration files:

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">

    <display-name>customer-area</display-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>restricted resources</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>*</role-name>
    </security-role>

    <login-config>
        <auth-method>MY-AUTH</auth-method>
    </login-config>

</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>java:/jaas/MySecurityDomain</security-domain>
</jboss-web>

standalone.xml

<security-domain name="MySecurityDomain" cache-type="default">
    <authentication>
        <login-module code="mypackage.MyLoginModule" flag="required"/>
    </authentication>
</security-domain>

ServletExtension class:

public class MyServletExtension implements ServletExtension {

    @Override
    public void handleDeployment(final DeploymentInfo deploymentInfo, ServletContext servletContext) {

        deploymentInfo.addAuthenticationMechanism("MY-AUTH", new AuthenticationMechanismFactory() {
            @Override
            public AuthenticationMechanism create(String mechanismName, FormParserFactory formParserFactory, Map<String, String> properties) {
                return new MyAuthenticationMechanism();
            }
        });
    }
}

AuthenticationMechanism class:

public class MyAuthenticationMechanism implements AuthenticationMechanism {

    @Override
    public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {

        PasswordCredential credential = new PasswordCredential(new char[] {});
        Account account = identityManager.verify("test", credential);
        if (account != null) {
            return AUTHENTICATED;
        } else {
            return NOT_AUTHENTICATED;
        }
    }
}

Did I miss something ?

Solution

  • The method which allow to reach MyLoginModule.logout() is request.logout(). I should have find it by myself!