Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-1805

HttpServletRequest#logout doesn't clear authenticated identity in EJB

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.0.0
    • Component/s: TomEE Core Server
    • Labels:
      None

      Description

      After having authenticated via JASPIC, calling HttpServletRequest#logout from a Servlet and then requesting the caller/user principal (all within the same request), TomEE 7.0.0-SNAPSHOT from 05-05-2016 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

      A test case exists at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/ejb-propagation

      To reproduce it, deploy the ejb-propagation war to TomEE and request http://localhost:8080/jaspic-ejb-propagation/public/servlet-public-ejb-logout?doLogin=true

      The result that's printed is:

      web username: test
      EJB username: test
      web username after logout: null
      EJB username after logout: test
      

      The EJB username after the logout should not be "test".

        Activity

        Hide
        arjan.tijms Arjan Tijms added a comment -

        p.s. if you want to copy the JASPIC tests and incorporate them into the TomEE tests, go for it!

        Show
        arjan.tijms Arjan Tijms added a comment - p.s. if you want to copy the JASPIC tests and incorporate them into the TomEE tests, go for it!

          People

          • Assignee:
            romain.manni-bucau Romain Manni-Bucau
            Reporter:
            arjan.tijms Arjan Tijms
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development