JAAS注销不适用于自定义登录模块

时间:2016-11-07 14:09:30

标签: java java-ee jaas wildfly-9 undertow

在我在WildFly 9服务器上运行的Java EE应用程序中,我有一个自定义登录模块:

public class MyLoginModule extends AbstractServerLoginModule {

    private Principal identity;

    @Override
    public boolean login() throws LoginException {
        // do something
        identity = new SimplePrincipal("test");
        subject.getPrincipals().add(identity);
        // do something else
        return true;
    }

    @Override
    public boolean logout() throws LoginException {
        subject.getPrincipals().remove(identity);
        return true;
    }
}

login方法按预期工作。但它与logout方法不一样。当我从request.getSession(false).invalidate();或网络服务中撰写Servlet之类的内容时,logout方法已经过时了。

这是我的配置文件:

的web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">

    <display-name>customer-area</display-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>restricted resources</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>*</role-name>
    </security-role>

    <login-config>
        <auth-method>MY-AUTH</auth-method>
    </login-config>

</web-app>

的JBoss-web.xml中

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>java:/jaas/MySecurityDomain</security-domain>
</jboss-web>

standalone.xml 

<security-domain name="MySecurityDomain" cache-type="default">
    <authentication>
        <login-module code="mypackage.MyLoginModule" flag="required"/>
    </authentication>
</security-domain>

ServletExtension上课:

public class MyServletExtension implements ServletExtension {

    @Override
    public void handleDeployment(final DeploymentInfo deploymentInfo, ServletContext servletContext) {

        deploymentInfo.addAuthenticationMechanism("MY-AUTH", new AuthenticationMechanismFactory() {
            @Override
            public AuthenticationMechanism create(String mechanismName, FormParserFactory formParserFactory, Map<String, String> properties) {
                return new MyAuthenticationMechanism();
            }
        });
    }
}

AuthenticationMechanism上课:

public class MyAuthenticationMechanism implements AuthenticationMechanism {

    @Override
    public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {

        PasswordCredential credential = new PasswordCredential(new char[] {});
        Account account = identityManager.verify("test", credential);
        if (account != null) {
            return AUTHENTICATED;
        } else {
            return NOT_AUTHENTICATED;
        }
    }
}

我错过了什么吗?

1 个答案:

答案 0 :(得分:0)

允许到达MyLoginModule.logout()的方法是request.logout()。我应该自己找到它!

相关问题
最新问题