Ray Suliteanu(Migrated from SEC-23) said:
Per thread on the Acegi Spring forum http://forum.springframework.org/viewtopic.php?p=25760, the current JaasAuthenticationProvider does not provide any means to log out a user that was logged in via the JaasAuthenticationProvider, so the JAAS integration provided by it is not sufficient.
I have created a patch for my own temporary use against a nightly snapshot. I do not know if it’s correctly done, but it appears to work.
Feel free to use it or trash it, as long as there’s a way to log out a user via JAAS (i.e. the LoginContext.logout() method is invoked).
Thanks.
\ acegisecurity/core/src/main/java/net/sf/acegisecurity/providers/jaas/JaasAuthenticationProvider.java Tue Apr 26 20:39:06 2005
- JaasAuthenticationProvider.java.new Mon Jun 6 14:03:57 2005
\ 19,24 ****
- 19,27 --
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.GrantedAuthority;
- import net.sf.acegisecurity.context.SecurityContext;
- import net.sf.acegisecurity.context.SecurityContextHolder;
- import net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent;
import net.sf.acegisecurity.providers.AuthenticationProvider;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationFailedEvent;
-
\ 32,37 ****
- 35,42
--
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
- import org.springframework.context.ApplicationListener;
- import org.springframework.context.ApplicationEvent;
import org.springframework.core.io.Resource;
\ 160,166 ****
- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware {
//~ Static fields/initializers =========
protected static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class);
- 165,171
--
- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware, ApplicationListener {
//~ Static fields/initializers =========
protected static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class);
-
\ 174,179 ****
- 179,186
--
private String loginContextName = “
ACEGI”;
private AuthorityGranter[] authorityGranters;
private JaasAuthenticationCallbackHandler[] callbackHandlers;
- private InternalCallbackHandler callbackHandler;
- ```
private LoginContext loginContext;
```
//~ Methods ================
\ 307,312 ****
- 314,322 --
```
Assert.notNull(Configuration.getConfiguration(),
“As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html \”If a Configuration object was set via the Configuration.setConfiguration method, then that object is returned. Otherwise, a default Configuration object is returned\“. Your JRE returned null to Configuration.getConfiguration().”);
```
+
- callbackHandler = new InternalCallbackHandler();
- ```
loginContext = new LoginContext(loginContextName, callbackHandler);
```
}
/**
-
\ 330,341 ****
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth;
```
try {
```
! //Create the LoginContext object, and pass our InternallCallbackHandler
! LoginContext lc = new LoginContext(loginContextName,
! new InternalCallbackHandler(auth));
```
//Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point.
```
! lc.login();
```
//create a set to hold the authorities, and add any that have already been applied.
Set authorities = new HashSet();
```
- 340,349
--
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth;
```
try {
```
! callbackHandler.setAuthentication(auth);
```
//Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point.
```
! loginContext.login();
```
//create a set to hold the authorities, and add any that have already been applied.
Set authorities = new HashSet();
```
-
\ 345,351 ****
}
```
//get the subject principals and pass them to each of the AuthorityGranters
```
! Set principals = lc.getSubject().getPrincipals();
```
for (Iterator iterator = principals.iterator();
iterator.hasNext();) {
```
- 353,359
--
}
```
//get the subject principals and pass them to each of the AuthorityGranters
```
! Set principals = loginContext.getSubject().getPrincipals();
```
for (Iterator iterator = principals.iterator();
iterator.hasNext();) {
```
-
\ 451,456 ****
- 459,482
--
}
}
- ```
public void onApplicationEvent(ApplicationEvent event) {
```
- if (event instanceof HttpSessionDestroyedEvent) {
- SecurityContext context = (SecurityContext) SecurityContextHolder.getContext();
- if (context != null) {
- try {
- loginContext.logout();
- }
- catch (LoginException e) {
- AcegiSecurityException ase = loginExceptionResolver.resolveException(e);
- log.error(ase.getMessage(), ase);
- }
- }
- else {
- log.debug(“onApplicationEvent – no SecureContext available”);
- }
- }
- ```
}
```
+
//~ Inner Classes ==============
/**
-
\ 459,466 ****
private class InternalCallbackHandler implements CallbackHandler {
private Authentication authentication;
! public InternalCallbackHandler(Authentication authentication) {
! this.authentication = authentication;
}
```
public void handle(Callback[] callbacks)
```
485,495
--
private class InternalCallbackHandler implements CallbackHandler {
private Authentication authentication;
! public InternalCallbackHandler() {
! }
!
! public void setAuthentication(Authentication authentication) {
! this.authentication = authentication;
}
```
public void handle(Callback[] callbacks)
```