Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-1805

HttpServletRequest#logout doesn't clear authenticated identity in EJB

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.0.0
    • Component/s: TomEE Core Server
    • Labels:
      None

      Description

      After having authenticated via JASPIC, calling HttpServletRequest#logout from a Servlet and then requesting the caller/user principal (all within the same request), TomEE 7.0.0-SNAPSHOT from 05-05-2016 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

      A test case exists at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/ejb-propagation

      To reproduce it, deploy the ejb-propagation war to TomEE and request http://localhost:8080/jaspic-ejb-propagation/public/servlet-public-ejb-logout?doLogin=true

      The result that's printed is:

      web username: test
      EJB username: test
      web username after logout: null
      EJB username after logout: test
      

      The EJB username after the logout should not be "test".

        Attachments

          Activity

            People

            • Assignee:
              romain.manni-bucau Romain Manni-Bucau
              Reporter:
              arjan.tijms Arjan Tijms
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: