The issue is that the custom JAAS's LoginModule.logout() method is never called. I guess this has been never implemented correctly (at least since Tomcat 5.5.9). The thing is that according to the JAAS spec, the LoginContext.logout() is supposed to invoke the logout method for each LoginModule configured for this LoginContext. So, somebody should be sure to call LoginContext.logout() method. The caller for this method could be either a server or a client. So, either Tomcat should provide some means to access the LoginContext to the clients, or Tomcat should take the responsibility to call this method by itself. I guess the solution could be for Tomcat to associate the instance of LoginContext with the user's session, and then Tomcat could invoke LoginContext.logout() when the session is being invalidated (both when the session times out or invalidated explicitely). I hope that I am correctly interpreting the JAAS spec.
1. Can you point specifically to the section in the JAAS specification to which you're referring? 2. If you could submit a code patch for Tomcat for this matter, that would be great. Thanks!
1. http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.h tml "A typical caller instantiates a LoginContext with a name and a CallbackHandler..." "Once the caller has instantiated a LoginContext, it invokes the login method to authenticate a Subject..." "To logout the Subject, the caller calls the logout method. As with the login method, this logout method invokes the logout method for the configured modules..." 2. Unfortunately, I am on a tight deadline for my company, so can not work on the patch (for myself I've just create a workaround for my logout requirements by utilizing the HttpSessionBindingListener interface, though I haven't tested it yet).
OK, thanks. If/when you get a chance to work on a patch, I will be glad to review and commit it as necessary. I myself don't have the time to develop one right now either, but I wanted to make sure you were still interested. Thanks.
Normal is P3, not P1.
I don't have a patch, but I do have a solution that I can outline here. Basically, the LoginContext needs to be saved in the session so logout can be called on it when the session is invalidated or expires. Currently, this is a problem because the LoginContext is created in the JAASRealm and discarded after login is called and the only place that the session is available is in the Authenticator. Here is a proposed solution: 1) Create a pojo that has getPrincipal() and getLoginContext(). Let's call this pojo, RealmPrincipal. 2) Change the Realm's authenticate methods to return a RealmPrincipal object instead of a Principal. 3) Change the Realm impl's to create and return the RealmPrincipal, including the LoginContext where appropriate. 4) Change the Authentcator's to check to see if the LoginContext is not null and add it to the session notes the same as currently is being done with the principal. 5) Change the StandardSession expires() method to check for the LoginContext in the notes and call logout on it, if it is present. I hope this is clear and sufficient for a timely fix. Thanks.
I have fixed trunk and proposed the patch for 6.0.x and 5.5.x
Note that if you have multiple Tomcat nodes in a cluster and use the JAASRealm then since the LoginContext is not Serializable there will be some scenarios where if a node fails the logout method will never be called.
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.
This has been fixed in 5.5.x and will be included in 5.5.29 onwards.