Bug 39231 - The JAAS contract for LoginModule is broken
The JAAS contract for LoginModule is broken
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
All All
: P3 normal with 3 votes (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2006-04-06 21:19 UTC by Seva Popov
Modified: 2009-12-20 09:49 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Seva Popov 2006-04-06 21:19:49 UTC
The issue is that the custom JAAS's LoginModule.logout() method is never 
called. I guess this has been never implemented correctly (at least since 
Tomcat 5.5.9).

The thing is that according to the JAAS spec, the LoginContext.logout() is 
supposed to invoke the logout method for each LoginModule configured for this 

So, somebody should be sure to call LoginContext.logout() method. The caller 
for this method could be either a server or a client. 

So, either Tomcat should provide some means to access the LoginContext to the 
clients, or Tomcat should take the responsibility to call this method by itself.

I guess the solution could be for Tomcat to associate the instance of 
LoginContext with the user's session, and then Tomcat could invoke 
LoginContext.logout() when the session is being invalidated (both when the 
session times out or invalidated explicitely).

I hope that I am correctly interpreting the JAAS spec.
Comment 1 Yoav Shapira 2006-04-13 17:52:19 UTC
1. Can you point specifically to the section in the JAAS specification to which
you're referring?

2. If you could submit a code patch for Tomcat for this matter, that would be
great.  Thanks!
Comment 2 Seva Popov 2006-04-13 18:11:41 UTC

"A typical caller instantiates a LoginContext with a name and a 

"Once the caller has instantiated a LoginContext, it invokes the login method 
to authenticate a Subject..."

"To logout the Subject, the caller calls the logout method. As with the login 
method, this logout method invokes the logout method for the configured 

2. Unfortunately, I am on a tight deadline for my company, so can not work on 
the patch (for myself I've just create a workaround for my logout requirements 
by utilizing the HttpSessionBindingListener interface, though I haven't tested 
it yet). 
Comment 3 Yoav Shapira 2006-04-13 18:21:12 UTC
OK, thanks.  If/when you get a chance to work on a patch, I will be glad to
review and commit it as necessary.  I myself don't have the time to develop one
right now either, but I wanted to make sure you were still interested.  Thanks.
Comment 4 Yoav Shapira 2006-04-13 21:34:01 UTC
Normal is P3, not P1.
Comment 5 Jason Chaffee 2006-04-19 00:45:39 UTC
I don't have a patch, but I do have a solution that I can outline here.  

Basically, the LoginContext needs to be saved in the session so logout can be 
called on it when the session is invalidated or expires.  Currently, this is a 
problem because the LoginContext is created in the JAASRealm and discarded 
after login is called and the only place that the session is available is in 
the Authenticator.

Here is a proposed solution:

1) Create a pojo that has getPrincipal() and getLoginContext().  Let's call 
this pojo, RealmPrincipal.

2) Change the Realm's authenticate methods to return a RealmPrincipal object 
instead of a Principal.

3) Change the Realm impl's to create and return the RealmPrincipal, including 
the LoginContext where appropriate.

4) Change the Authentcator's to check to see if the LoginContext is not null 
and add it to the session notes the same as currently is being done with the 

5) Change the StandardSession expires() method to check for the LoginContext 
in the notes and call logout on it, if it is present.

I hope this is clear and sufficient for a timely fix.  Thanks.
Comment 6 Mark Thomas 2009-07-07 09:42:24 UTC
I have fixed trunk and proposed the patch for 6.0.x and 5.5.x
Comment 7 Mark Thomas 2009-08-03 02:17:34 UTC
Note that if you have multiple Tomcat nodes in a cluster and use the JAASRealm then since the LoginContext is not Serializable there will be some scenarios where if a node fails the logout method will never be called.
Comment 8 Mark Thomas 2009-11-03 16:09:06 UTC
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.
Comment 9 Mark Thomas 2009-12-20 09:49:05 UTC
This has been fixed in 5.5.x and will be included in 5.5.29 onwards.