All geek questions in one place

How to implement logout when using form-based security

I am using a security scope based on a JDBC form and I want to implement a logout, but when I click on the link, I see this exception:

java.lang.RuntimeException: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) ... Caused: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)

This is the created EJB to execute loggout:

@Stateless(name = "ejbs/SessionSupportEJBImpl") @DeclareRoles({"administrators","users"}) public class SessionSupportEJBImpl implements SessionSupportEJB { @PermitAll public void releaseUserState() { HttpSession session = (HttpSession) FacesContext.getCurrentInstance() .getExternalContext().getSession(false); if (session != null) { session.invalidate(); } } }

Here I call it from a backup bean:

 @Named("logoutBB") @RequestScoped public class LogoutBean { @EJB private SessionSupportEJB sessionSupportEJB; public String logout() { sessionSupportEJB.releaseUserState(); return "index.xhtml?faces-redirect=true"; } }

And here is the markup that should cause it:

 <h:form> <h:commandLink value="LOGOUT" action="#{logoutBB.releaseUserState}"/> </h:form>

My doubts:

  • How to make a logout function?

  • Is it mandatory to use ejbs security annotations always on my jabs to allow access? (When using the security area)

  • Should I do this with a servlet instead of EJB?

  • Is this approach wrong, should I try something else to exit the system?

+4
source share
1 answer

First, I recommend that you do not call FacesContext in EJB, because FacesContext is a "View Layer" element. EJB's goal is Bussines Logic LAyer, and itโ€™s best practice to extract business process logic from a view because you can access the business process logic from many kinds of views.

On how to close a session, I recommend the following:

Create a servlet to implement the doGet method to close the session as follows:

 @WebServlet("/logout") public class LogoutServlet extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { HttpSession session= req.getSession(); session.invalidate(); RequestDispatcher rd = req.getRequestDispatcher("/login.xhtml"); //The url where go after logout rd.forward(req,res); } }

Thus, you can add the following link to the html / xhtml page to exit:

 <a href="/logout">Logout</a>

If you use JSF, to get the context path to your application, you can use:

 <a href="${request.contextPath}/logout">Logout</a>

DISCLAIMER: I assume that you are using Java EE 6. Also I have not tested the code (but I know that it works), if you have some compilation problems, please let me know

+4
source

Source: https://habr.com/ru/post/1382879/

More articles:


All Articles