Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9165

HttpServletRequest.logout() doesn't work with Elytron

XMLWordPrintable

    • Hide

      => The login form should be displayed, but access is granted directly instead.

      It works correctly with legacy security (if you skip the enable-elytron.cli execution step)

      Show
      add application user jboss-eap-7.1/bin/add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g Admin configure server to use Elytron (use attached CLI script) jboss-eap-7.1/bin/jboss-cli.sh --file=enable-elytron.cli deploy attached application start the server jboss-eap-7.1/bin/standalone.sh open http://localhost:8080/secured-webapp/user/ in a browser window login as user1 / password1! Use logout servlet http://localhost:8080/secured-webapp/LogoutServlet open http://localhost:8080/secured-webapp/user/ again => The login form should be displayed, but access is granted directly instead. It works correctly with legacy security (if you skip the enable-elytron.cli execution step)

      Calling HttpServletRequest.logout() leaves user logged in if Elytron security is used.

      This means security flaw, therefor setting priority to blocker.

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: