Wednesday, July 9, 2014

WebLogic session.invalidate() is not enough

Implementing correctly security in WebLogic can be a daunting task. So many caveats and dodgy behaviors and not all is CLEARLY documented.

Suppose I have protested all my JSP with this clause in web.xml:

  <security-constraint>
        <web-resource-collection>
            <web-resource-name>AdminPages</web-resource-name>
            <description>
                These pages are only accessible by authorized
                 administrators.
            </description>
            <url-pattern>/*.jsp</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                These are the roles who have access.
            </description>
            <role-name>
                admin
            </role-name>
        </auth-constraint>
        <user-data-constraint>
            <description>
                This is how the user data must be transmitted.
            </description>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
 <error-page>



and the role "admin" is defined in a weblogic.xml:

     <security-role-assignment>
         <role-name>admin</role-name>
         <principal-name>Administrators</principal-name>
         <principal-name>Monitors</principal-name>
         <principal-name>Deployers</principal-name>
     </security-role-assignment>

At this point all your JSP require that you are authenticated.

To logout, you can provide this JSP code:

<% 
session.removeAttribute("User");
session.invalidate(); 
weblogic.servlet.security.ServletAuthentication.invalidateAll(request);
request.logout();  // only from WebLogic 12, requires Servlet 3.0
%>



Without the "invalidateAll(...)", it will not work. Apparently the session information is still kept on the server, and the session will be immediately resumed without asking you to authenticate again. Frustrating. Documentation on this topic is a bit confusing.

3 comments:

mqhnow1 said...

Why not try request.logout()? We are in the age of servlet 3.0.

Pierluigi Vernetto said...

request.logout() requires servlet 3.0, which is supported in WebLogic 12, but Weblogic 11 supports only servlet 2.5

Pasquale Russo said...

Hi Pierluigi!
The post is so old, but hope you can read it.
We have a problem with a logout and login of a page deployed in Weblogic.

The page is composed in two part:
an upper part (with a specific war) and a bottom part handled by another war.
This means that user first log into the upper part and obtain a JSESSSIONID, then clicking in some link the bottom part is opened and we can see another JESSSIONID.
Now, for the moment we have a button in the upper part that logout the user.
Infact, in the next authentication the user obtain a NEW JSESSIONID for the upper part.
Unfortunately when now the user click on a link, the bottom part still have the old JSESSIONID. This happens only when user doesn't close his browser.

Do you think your jsp code


<%
session.removeAttribute("User");
session.invalidate();
weblogic.servlet.security.ServletAuthentication.invalidateAll(request);
request.logout(); // only from WebLogic 12, requires Servlet 3.0
%>

will be able to remove all JSESSIONID?
What kind of jar we need to import into this jsp in order to call correctly the weblogic method? Have you an example of this page?
Thanks a lot!!!