You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Jürgen Weber (JIRA)" <ji...@apache.org> on 2010/03/18 08:52:27 UTC
[jira] Created: (JSPWIKI-643) Logout does not work with Tomcat
SingleSignOn
Logout does not work with Tomcat SingleSignOn
---------------------------------------------
Key: JSPWIKI-643
URL: https://issues.apache.org/jira/browse/JSPWIKI-643
Project: JSPWiki
Issue Type: Bug
Components: Authentication&Authorization
Affects Versions: 2.8.3
Environment: Container managed security
Tomcat with SingleSignOn Valve
Reporter: Jürgen Weber
JSPWiki's logout button does not work with container managed security and Tomcat's SingleSignOn Valve.
To reproduce:
Have common users for JSPWiki and another web application B
Access B and trigger container managed security, log in.
B is active, user is logged in.
Access JSPWiki, JSPWiki shows the User logged into B. OK.
Click JSPWiki's log out button. Nothing happens, user stays authenticated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-643) Logout does not work with Tomcat
SingleSignOn
Posted by "Luca Gilardoni (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12847033#action_12847033 ]
Luca Gilardoni commented on JSPWIKI-643:
----------------------------------------
You may also wish to look at http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/200902.mbox/%3C499EECE0.6050209@gmail.com%3E.
I have had the same problem and left some note
> Logout does not work with Tomcat SingleSignOn
> ---------------------------------------------
>
> Key: JSPWIKI-643
> URL: https://issues.apache.org/jira/browse/JSPWIKI-643
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8.3
> Environment: Container managed security
> Tomcat with SingleSignOn Valve
> Reporter: Jürgen Weber
>
> JSPWiki's logout button does not work with container managed security and Tomcat's SingleSignOn Valve.
> To reproduce:
> Have common users for JSPWiki and another web application B
> Access B and trigger container managed security, log in.
> B is active, user is logged in.
> Access JSPWiki, JSPWiki shows the User logged into B. OK.
> Click JSPWiki's log out button. Nothing happens, user stays authenticated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-643) Logout does not work with Tomcat
SingleSignOn
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12863026#action_12863026 ]
Harry Metske commented on JSPWIKI-643:
--------------------------------------
Given Andrew's answer (pointed to by the above link) :
{quote}
Tomcat's single sign-on cookie is container-specific, and applies to
multiple webapps. JSPWiki cannot globally log out a user when you
click the logout link (Logout.jsp). The AuthenticationManager code
that handles logouts *does* flush the local HttpSession... that is
about as far as we can go, given the servlet spec.
What is probably happening is that when you use JSPWiki's logout
feature, the local session is flushed. But JSPWiki is then creating a
new WikiSession that picks up the (still present) Tomcat SSO cookie
and user principal... i.e., JSPWiki would still think you are logged
in because the container is passing on the credentials from the SSO
session.
You can verify my hunch by embedding the following scriptlet code
into templates/*/ViewTemplate.jsp, perhaps somewhere near the top:
<p>User principal: <%=request.getUserPrincipal()%></p><p>Session ID: <
%=session.getId()%></p>
If the value of the principal is the same before AND after logout,
AND the session ID is different, then this would confirm the theory
that JSPWiki is still picking up the Tomcat SSO's principal value,
even though the local JSPWiki session was properly invalidated (and
recreated). If that's true, then there is nothing JSPWiki can do...
you would need to navigate back to the SSO application and log out
there.
Let me know what you see...
Andrew
{quote}
My conclusion is that we cannot "solve" this without going beyond the servlet spec., thereby creating container dependent behavior.
Suggest to close as WontFix.
> Logout does not work with Tomcat SingleSignOn
> ---------------------------------------------
>
> Key: JSPWIKI-643
> URL: https://issues.apache.org/jira/browse/JSPWIKI-643
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8.3
> Environment: Container managed security
> Tomcat with SingleSignOn Valve
> Reporter: Jürgen Weber
>
> JSPWiki's logout button does not work with container managed security and Tomcat's SingleSignOn Valve.
> To reproduce:
> Have common users for JSPWiki and another web application B
> Access B and trigger container managed security, log in.
> B is active, user is logged in.
> Access JSPWiki, JSPWiki shows the User logged into B. OK.
> Click JSPWiki's log out button. Nothing happens, user stays authenticated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-643) Logout does not work with Tomcat
SingleSignOn
Posted by "Jürgen Weber (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12846814#action_12846814 ]
Jürgen Weber commented on JSPWIKI-643:
--------------------------------------
Stumbled onto old posts on JspWiki - User, that discuss the problem without giving a good solution:
http://old.nabble.com/Logout-Page-ts7564072.html
http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/200902.mbox/%3C499EECE0.6050209@gmail.com%3E
> Logout does not work with Tomcat SingleSignOn
> ---------------------------------------------
>
> Key: JSPWIKI-643
> URL: https://issues.apache.org/jira/browse/JSPWIKI-643
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8.3
> Environment: Container managed security
> Tomcat with SingleSignOn Valve
> Reporter: Jürgen Weber
>
> JSPWiki's logout button does not work with container managed security and Tomcat's SingleSignOn Valve.
> To reproduce:
> Have common users for JSPWiki and another web application B
> Access B and trigger container managed security, log in.
> B is active, user is logged in.
> Access JSPWiki, JSPWiki shows the User logged into B. OK.
> Click JSPWiki's log out button. Nothing happens, user stays authenticated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (JSPWIKI-643) Logout does not work with Tomcat
SingleSignOn
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harry Metske closed JSPWIKI-643.
--------------------------------
Resolution: Won't Fix
> Logout does not work with Tomcat SingleSignOn
> ---------------------------------------------
>
> Key: JSPWIKI-643
> URL: https://issues.apache.org/jira/browse/JSPWIKI-643
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8.3
> Environment: Container managed security
> Tomcat with SingleSignOn Valve
> Reporter: Jürgen Weber
>
> JSPWiki's logout button does not work with container managed security and Tomcat's SingleSignOn Valve.
> To reproduce:
> Have common users for JSPWiki and another web application B
> Access B and trigger container managed security, log in.
> B is active, user is logged in.
> Access JSPWiki, JSPWiki shows the User logged into B. OK.
> Click JSPWiki's log out button. Nothing happens, user stays authenticated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.