Logout in acegi 1.0-RC2

[brentrr]

I am having this same problem. I did not try adding logout functionality until I moved up to 1.0 RC2. I am using Tomcat 5.5.15. Web framework is Wicket 1.1. The logout link logic invalidates the session and calls clearContext(). I have tried setting the authentication object to null.

Here is the sequence of events.

1) Click the logout link
2) Wicket displays a session is no longer valid page with a link to the home page (I will address this later)
3) Click the home page link
4) Tomcat assigns a new session id
5) The home page displays with the same user information (I display the user name) w/o requiring another authentication step
6) I can click any of the navigation links from there and continue with the session as if nothing changed

[lexius]

It work if change
terminate.setMaxAge(0);
to
terminate.setMaxAge(-1);

[akakunin]

It is still doesn't work for HTTP Digest Authentication.
Currently my Logout servlet looks like:

Code:

		i_request.getSession().invalidate();

		Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
        terminate.setMaxAge(-1);
        o_response.addCookie(terminate);		
		
        SecurityContextHolder.clearContext();

        o_response.sendRedirect("index.jsp");

and after navigation to logout it redirected to index.jsp and opened it without asking password...

seems logout is to difficult functionality for implementation ((

[nicolas_rom]

In my jsp logoff page I put:

session.invalidate();
Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY _HASHED_REMEMBER_ME_COOKIE_KEY, null);
terminate.setMaxAge(0);
terminate.setPath(request.getContextPath() + "/");
response.addCookie(terminate);

I noticed that if the following line:
terminate.setPath(request.getContextPath() + "/");
is not present and you use the remember me service
you won't get logged off... I also noticed that if the + "/" is not present
you won't log off either...
So this line seems to be vital.

Hope this helps... and if you find out why this "/" is requiered... I am interested.

regards,

Nicolas.

[lexius]

It not working for me.

[akakunin]

It also doesn;t work for me and only now I take account that TokenBasedRememberMeServices.ACEGI_SECURITY _HASHED_REMEMBER_ME_COOKIE_KEY Cookie is used for logout...

But in my case RememberMe is not used. - Is it neccessary?

Here is part of my acegi configuration:

Code:

	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
         <value>
		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		    PATTERN_TYPE_APACHE_ANT
            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
         </value>
      </property>
    </bean>

   <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
   </bean>
   
   <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
      <property name="defaultTargetUrl"><value>/</value></property>
      <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
   </bean>
   
   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
				/**=ROLE_EMFORGEUSER
         </value>
      </property>
   </bean>
   <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
         <list>
            <ref bean="roleVoter"/>
         </list>
      </property>
   </bean>
   <!-- An access decision voter that reads ROLE_* configuration settings -->
   <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

   <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      <property name="key"><value>foobar</value></property>
      <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
   </bean>

May be it help to found source of problem?

P.S. I just tested with last Acegi 1.0.0 - same problem

[chaz69]

I spent a few hours on this and found that FireFox and IE behave differentlly. IE was logging out fine however FireFox was not deleting the Cookie, thus the user was still logged in. The following code worked in IE but not Firefox:

Code:

Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
terminate.setMaxAge(0);
httpServletResponse.addCookie(terminate);

However, by setting the cookie path to the original context path I could delete the cookie in Firefox, and thus the logout was successful:

Code:

Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);
terminate.setMaxAge(0);
terminate.setPath( "/myinitialpath" );
httpServletResponse.addCookie(terminate);

Hope that helps!!