Does SecurityContextLogoutHandler really invalidates session ? ( Acegi 1.0.3+)
Hello all,
I am using acegi with my web app and I recently set up the logout filter to perform user logout and session invalidation.
I saw that session invalidation property has been set up since 1.0.3 so I ensured my self that I have this version.
Well, put this stuff in place, and at first sight it seemed that everiyhing was working correctly: I set up a my filterProcessesUrl to an URL called /logout.do, and put a link on my page.
In my web app, I have put interceptors on different controller, to redirect the user to a role specific page if his session is invalid or incomplete. This allows me to check if the session has been correctly invalidated.
So, I logged in to my web app, browse a page, then logout. Then I try to access a protected page, and, since the session has been invalidated I am redirected to my specific home page. Everything looks fine, the logout filter has removed my sessions data from my session. And, the session has been certainly invalidated. Taking a look at the log shows me this:
This seems OK to me, even if I'm not sure to understand the two last lines.Code:11:39:06,249 DEBUG [FilterChainProxy] [doFilter] /logout.do at position 1 of 2 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSess ionContextIntegrationFilter@89e0ef' 11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHo lder: 'org.acegisecurity.context.SecurityContextImpl@1eb52b5b: Authentication: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@1eb52b5b: User name: org.acegisecurity.userdetails.User@0: Username: testEmployeur; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEUR; Password: [PROTECTED]; Authenticated: true; Details: {_internal-iam-roles-key=[Ljava.lang.String ;@18159b2}; Granted Authorities: ROLE_EMPLOYEUR' 11:39:06,265 DEBUG [FilterChainProxy] [doFilter] /logout.do at position 2 of 2 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.Logout Filter@e87e8' 11:39:06,265 DEBUG [LogoutFilter] [doFilter] Logging out user 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@1eb52b5b: Username: org.acegisecurity.userdetails.User@0: Username: xvdtst033; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEUR; Password: [PROTECTED]; Authenticated: true; Details: {_internal-iam-roles-key=[Ljava.lang.String;@18159b2}; Gran ted Authorities: ROLE_EMPLOYEUR' and redirecting to logout page 11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session 11:39:06,265 DEBUG [HttpSessionContextIntegrationFilter] [doFilter] SecurityContextHolder set to new context, as request processing completed
But, after this, I take a look at my weblogic console to monitor the sessions for my webapp. And, I realize that I still have 1 open session. If go back to my login page, I see another session opening, now, my bweblogic tells me 2 open session, etc... .
Maybe I am missing something? I had a look on Weblogic documentation to understand how weblogic "recycles" or "remove" invalidated session, but I could not find anything.
Could someone tell me if he encounter the same behaviour with another application server? Or is this a normal behaviour when invalidating sessions ?
I also tried to change my filterInvocationDefinitionSource chain, but with no real success.
Thanks for your help.
.
