Why does HttpSession.invalidate() not trigger a logout and JAAS cache entry flush on JBoss EAP 6?

Solution Unverified - Updated 2 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6.x

Issue

Why does HttpSession.invalidate() not trigger a logout and JAAS cache entry flush on JBoss EAP 6?

Resolution

Apply EAP 6.4 CP21 or later when available.

Root Cause

If the web application is not distributable, then calling session.invalidate() will cause the JAAS login module's logout() method to get invoked and the user's JAAS cache entry will be removed. However, if the web application is marked as distributable, then calling session.invalidate() will not cause the JAAS login module's logout() method to get invoked nor will the user's JAAS cache entry get removed.

By default, the StandardSession session implementation is used. However, when the application is "distributable", then the ClusteredSession implementation is used.

In reviewing the code, the difference appears to be that the ClusteredSession.expire() does not call principal.logout() whereas StandardSession.expire() does call princpal.logout().

This issue has been filed as a bug This content is not included.1593129, fixed in the upstream, and wil be fixed in the future release of EAP6.

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.