Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-1805

HttpServletRequest#logout doesn't clear authenticated identity in EJB

Attach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment Visibility
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 7.0.0
    • TomEE Core Server
    • None

    Description

      After having authenticated via JASPIC, calling HttpServletRequest#logout from a Servlet and then requesting the caller/user principal (all within the same request), TomEE 7.0.0-SNAPSHOT from 05-05-2016 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

      A test case exists at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/ejb-propagation

      To reproduce it, deploy the ejb-propagation war to TomEE and request http://localhost:8080/jaspic-ejb-propagation/public/servlet-public-ejb-logout?doLogin=true

      The result that's printed is:

      web username: test
      EJB username: test
      web username after logout: null
      EJB username after logout: test
      

      The EJB username after the logout should not be "test".

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            romain.manni-bucau Romain Manni-Bucau
            arjan.tijms Arjan Tijms
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment