request.getUserPrincipal() is still not null after session is invalidated
https://stackoverflow.com/questions/10334777
-
03-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I have web application deployed on websphere application server 7.0. User logins using /j_security_check. When session timeout occures session ivnvalidates but request.getUserPrincipal() is still not null. I expect it should be null. How to clean user principal?
المحلول
I have found solution in sphere documentation.
- In the administrative console, click Security > Global security.
- Under Custom properties, click New.
- In the Name field, enter com.ibm.ws.security.web.logoutOnHTTPSessionExpire.
- In the Values field, enter true.
- Click Apply and Save to save the changes to your configuration.
- Resynchronize and restart the server.
نصائح أخرى
In addition to solution provided by Vadim, I would like to share two links that describe a couple of alternative workarounds, and explanation of the mechanisms causing this seemingly counter intuitive mode of operation.
If you're using SSO (single sign on) between different applications, there may be a little drawback of using com.ibm.ws.security.web.logoutOnHTTPSessionExpire=true setting. This setting essentially invalidates LTPA token. Since security cache at server refreshes from LTPA token when it times out, invalidated LTPA will cause revalidation (login) of user for remaining applications [1].
Answer to Question 9 (which seems to be same as our question) at [2] provides ideas for two alternative workarounds for this problem, where you may time out authentication using servlet filters based on lifetime and inactivity.
[1]: Security Cache, LTPA Token, and Session Time Outs (requires login)
[2]: Q & A: Frequently asked questions about WebSphere Application Server security
The key thing to bear in mind is a valid/invalid HTTPSession is not the same as security.
They are completely different.
Once you are authenticated by the server, you can still have application work without any HTTPSession if you want to.
Once you are authenticatd by the server, you get a LTPA token returned to your browser and the LTPA token is active for say 2 hours (which is the default).
If your HTTP Session expires that does not affect the LTPA token if you don't to anything extra.
You could try: ibm_security_logout which would invalidate the LTPA token.
I guess with the later versions of Servlet API we do have a proper logout operation available which would eliminate the need for this.
HTH
Manglu
