Details
-
Bug
-
Resolution: Done
-
Major
-
9.0.0.Alpha1
-
None
Description
Currently HttpServletRequest.logout() and Session.invalidate() rely on the AuthenticationManager.flushCache() method to perform the JAAS logout. Internally, flushCache() removes the cache entry and a cache listener takes care of the JAAS logout upon eviction.
However, this is only true for cache-type="default". If the "inifinspan" cache is configured, no such eviction listener exists and thus no JAAS logout is carried upon entry removal. Similarly, a JAAS logout is never carried if the security domain doesn't use a cache at all. Only the presence of a cache with a special eviction listener will result in logout being called on the login module, which is obviously a faulty design.
Latest PicketBox version adds a logout(Principal, Subject) method to the AuthenticationManager interface. The default implementation used by WildFly takes care of flushing the cache if needed and performs the JAAS logout independently of the cache policy being used. The code that is currently calling AuthenticationManager.flushCache() must be changed so that logout() is called instead.