search

javaeekickoff / java-ee-kickoff-app

javaee-kickoff-app
Other
179 stars 53 forks source link

Unable to log out an authenticated user. #13

Closed jmfernandezg closed 7 years ago

jmfernandezg commented 7 years ago

There is an issue when logging out an authenticated user. I'm not quite sure what is happening there. It seems like the logout process goes just fine, the login and session are nullified, then a few milliseconds later the "authenticated" user goes back inside the session again.

12:13:05,176 INFO [org.example.kickoff.view.phaselistener.FacesRequestLogger] (default task-1) POST={url=/contact, user={ip=127.0.0.1, login=null, session=null, viewState=-2120950127968077595:-373007649678707392}, action={source=logoutForm:j_idt45, event=null, methods=[#{logoutBacking.logout}], validationFailed=false}, params={logoutForm=logoutForm, logoutForm:j_idt45=logoutForm:j_idt45}, messages={=[You have been logged out.]}, timer={0=52ms, 1=49ms, 2=0ms, 3=0ms, 4=0ms, 5=2ms, 6=-1ms}}

12:13:05,182 WARN [org.hibernate.hql.internal.ast.QueryTranslatorImpl] (default task-2) HHH000104: firstResult/maxResults specified with collection fetch; applying in memory!

12:13:05,263 INFO [org.example.kickoff.view.phaselistener.FacesRequestLogger] (default task-2) GET={url=/, user={ip=127.0.0.1, login=admin@kickoff.example.org, session=AnnhrW_L8A89YTKvgVq_HZzF21IPKbv90KVLyyFK, viewState=null}, action={source=null, event=null, methods=[], validationFailed=false}, params={}, messages={=[You have been logged out.]}, timer={0=60ms, 1=0ms, 2=-1ms, 3=-1ms, 4=-1ms, 5=-1ms, 6=59ms}}

This causes the user icon to still be displayed on the upper right corner even when the application confirmed that the user logged out.

bug3

If we try to log out again, a session expired page appears. This is expected but there is still the user icon active on the upper right.

bug4

If we try to log out again, a view expired exception is thrown.

bug5

We can then go back to the user list page "/admin/users" and make changes and everything even though the user is supposed to be logged out.

Thanks.

BalusC commented 7 years ago

@arjantijms Can you look at this?

Problem appears to be in Soteria and is two-fold:

  1. "Remember Me" cookie is created even when "Remember Me" checkbox is not checked.
  2. "Remember Me" cookie is not cleared on request.logout().
BalusC commented 7 years ago

Looks like AuthenticationParameters#rememberMe() is completely ignored. I remember having discussed this issue years ago. That the default RememberMeInterceptor should by default also check AuthenticationParameters#rememberMe(), but this is not in place. I have fixed the @RememberMe annotation on that.

Not clearing the cookie on logout is caused by a Weld bug. It's already fixed in 2.4.0 / 3.0.0, but WildFly 10.1 still uses 2.3.5.