Okay, allow me to take back what I said.
I later realized that the user in session would have nothing to do with where
the voters would be obtaining the user object from, so if I was properly
removing the user from the SecurityContextHolder, then everything should be
working right. So I went back and double checked my code, and turns out I
was performing the logout operation in the Render phase, not Action, even
though I was saying otherwise on my previous email. Now don’t I
look all foolish. J
So, a big mea culpa and apologies to all.
-tim
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Kettering
Sent: Friday, July 22, 2005 1:58
PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: [Acegisecurity-developer]
logout functionality
I was looking around for logout tips/practices on the
forums, and I found this thread from a while ago –
http://forum.springframework.org/viewtopic.php?t=5407&highlight=logout
So, as I understand this, setting a new security context in
0.9 and up will effectively log out a user. The project I’m working
on, which is a bunch of portlets running under a portlet container. We
are using Acegi to manage object-level permissions in the various portlets
using ACL.
Since the changes to the user are not written back to the
session until the end of the request – the changes do not take effect for
that initial request. On a standard webapp, this would normally not be an
issue because the page could easily forward to a “logout” page or
something, and then all future requests would be processed as usual.
However, with portlets, since we have Portlet A, Portlet B,
and Portlet C and a Login/Logout Portlet all existing on one page, it works
differently. When I click the “logout” link on the
login/logout portlet, the user is indeed logged out, but since the user still
exists in session, Portlets A, B and C still render their views as if the user
was still logged in. It is not until the next web request (or a page
reload) that the views are updated correctly.
I believe this occurs because of the two phase process
(Action then Render) process. The logout is executed in the Action phase,
then all Portlets are rendered, but because the user is not removed from
session until end of request, the Render phase still has the User in session
visible, and acts accordingly so. So from a user/developer point of
view on the web page, the user has logged out, but the data that is displayed
in portlets are still displaying as if the user was logged in.
As more people start using Spring, and Acegi to build
portlet applications, I am quite certain this will become a common issue.
I plan to resolve this issue for the short term by explicitly clearing the
ACEGI context from the session in the Action phase. I do think that there
should be some re-consideration for a unified (or at least an endorsed) strategy
for clearing the user on logout from both the context and the session.
My understand of Acegi is still rather new – I’m
learning this stuff as I go, so if I have made any misassumptions, feel free to
correct me. I thought it’d be a good time to bring this up for
discussion w/ the devs.
-tim
