HomeSupportForumsCoreSession Management

Logout & Sessions

Thu, 08/21/2008 - 2:34pm — tkofford

What is the proper way to handle session when logging out a jsecurity subject?

Below is what I currently have, but I sometimes have issues with sessions:
Login

Subject currentUser = SecurityUtils.getSubject();
if (currentUser != null)
{
    if (!currentUser.isAuthenticated())
    {
        token.setRememberMe(true);
        currentUser.login(token);
        log.debug("authenticateUser() - Post Login");
    }
    if (currentUser.isAuthenticated())
    {
        personID = (Long) currentUser.getPrincipal();
        log.debug("authenticateUser() - user is authorized.");
    }                
}

Logout

Subject currentUser = SecurityUtils.getSubject();
if (currentUser.isAuthenticated())
{
    currentUser.logout();
}
HttpSession session = request.getSession();
if (session != null)
{
    session.invalidate();
}

The issue that I consistently see is:
-The user logs in using the login code above.
-When use logs out, the logout above code it executed.
-Without shutting down their browser, the user logs in again successfully.
-Next, somehow the session dies and a new one is created, but there is no Account information associated with the subject at this point. So when I programmatically check a role, I get the following exception.
UnauthenticatedException: Account data has not yet been associated with this Subject instance(this can be done by executing org.jsecurity.subject.Subject.login(AuthenticationToken) ).Therefore, authorization operations are not possible (a Subject/Account identity is required first). Denying authorization.

However, when the user logged in the 2nd time this did not happen. It also does not happen when the user completely shuts down their browser and logs in again fresh.

Any suggestions?

Thanks,
Todd Kofford
tkofford@ku.edu

‹ Session timeout 30 minutes Central access control service ›
Thu, 08/21/2008 - 4:17pm — lhazlewood

Hi Todd, This is sufficient

Hi Todd,

This is sufficient enough for login:

Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
token.setRememberMe(true);
currentUser.login(token);
log.debug("authenticateUser() - Post Login");
}
Long personId = (Long)currentUser.getPrincipal();
//personId will never be null in this case, because the subject is authenticated.

And for logout:

Subject currentUser = SecurityUtils.getSubject();
//if this is response to a user clicking log out, you should
//always log out the subject - no need to check for authenticated:
currentUser.logout();

//after the above call, there is no need to invalidate the http session
//since JSecurity does that automatically in web environments.

Also, please make sure you're using the latest 0.9.0 RC2 release. This release ensures that the authz exception is _only_ thrown on the Subject.check* methods. The hasRole* and isPermitted* variants will just return false when the Subject is anonymous instead of throwing an exception.

Let me know if that helps!

Regards,

Les

Tue, 08/26/2008 - 9:37am — tkofford

Logout problem Fixed!

Once again, thanks for the help Les!

The logout/log back in problem is now fixed.

I removed the specific call to invalidate the session after Subject.logut() and I updated to jsecurity RC2. I'm guessing that the implicit session.invalidate() call was maybe having a side effect of invalidating the new session after logout, since the jsecurity subject.logout() automatically invalidates the session too. Either that or the subject.logout() method was invalidating the new session after the explicit call to session.invalidate(). Either way, it is now fixed.

Thanks again,

Todd Kofford
tkofford@ku.edu