[TOMEE-1805] HttpServletRequest#logout doesn't clear authenticated identity in EJB - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 7.0.0
Component/s: TomEE Core Server
Labels:
None

Description

After having authenticated via JASPIC, calling HttpServletRequest#logout from a Servlet and then requesting the caller/user principal (all within the same request), TomEE 7.0.0-SNAPSHOT from 05-05-2016 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

A test case exists at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/ejb-propagation

To reproduce it, deploy the ejb-propagation war to TomEE and request http://localhost:8080/jaspic-ejb-propagation/public/servlet-public-ejb-logout?doLogin=true

The result that's printed is:

web username: test
EJB username: test
web username after logout: null
EJB username after logout: test

The EJB username after the logout should not be "test".

Attachments

Activity

People

Assignee:: Romain Manni-Bucau

Reporter:: Arjan Tijms

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/May/16 21:43

Updated:: 12/May/16 09:53

Resolved:: 12/May/16 09:53