Loading...

XML

Word

Printable

Steps to Reproduce:
Hide

add application user

jboss-eap-7.1/bin/add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g Admin

configure server to use Elytron (use attached CLI script)

jboss-eap-7.1/bin/jboss-cli.sh --file=enable-elytron.cli

deploy attached application

start the server

jboss-eap-7.1/bin/standalone.sh

open http://localhost:8080/secured-webapp/user/ in a browser window

login as user1 / password1!

Use logout servlet http://localhost:8080/secured-webapp/LogoutServlet

open http://localhost:8080/secured-webapp/user/ again

=> The login form should be displayed, but access is granted directly instead.

It works correctly with legacy security (if you skip the enable-elytron.cli execution step)
Show
add application user jboss-eap-7.1/bin/add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g Admin configure server to use Elytron (use attached CLI script) jboss-eap-7.1/bin/jboss-cli.sh --file=enable-elytron.cli deploy attached application start the server jboss-eap-7.1/bin/standalone.sh open http://localhost:8080/secured-webapp/user/ in a browser window login as user1 / password1! Use logout servlet http://localhost:8080/secured-webapp/LogoutServlet open http://localhost:8080/secured-webapp/user/ again => The login form should be displayed, but access is granted directly instead. It works correctly with legacy security (if you skip the enable-elytron.cli execution step)

Calling HttpServletRequest.logout() leaves user logged in if Elytron security is used.

This means security flaw, therefor setting priority to blocker.

clones

JBEAP-9165 HttpServletRequest.logout() doesn't work with Elytron