uCosminexus Application Server, Security Management Guide

[Contents][Index][Back][Next]

5.10.5 Implementation of the API-based logout session

To perform the logout process, the logout session uses the Subject registered in HttpSession, as described in 5.10.4 Implementation of the session to register the successfully authenticated subject to HttpSession, to re-create LoginContext. It then deletes the Subject registered in HttpSession. It also deletes the user attributes if they are registered in HttpSession. The following is an example of logout implementation if the user attributes are registered in HttpSession.

<%
  try {
    Subject subject = (Subject)session.getAttribute("ExampleSubject");
    LoginContext lc = new LoginContext("Example", subject);
    session.removeAttribute("ExampleCredential");
    session.removeAttribute("ExampleSubject");
    lc.logout();
  } catch (LoginException e) { ... }
%>
...

To complete logout when the session times out, assign the object that implements the HttpSessionBindingListener interface to the HttpSession object. The following is an example of logout implementation in which logout is completed when the session times out.

<%
  LoginContext lc = new LoginContext("Portal",
    new WebPasswordHandler(request, response, null, "login.html", true));
  try {
    lc.login();
     session.setAttribute("logoutObject",
        new MyListener("Portal", "ExampleSubject", "ExampleCredential"));
    session.setAttribute("ExampleSubject", lc.getSubject());
    session.setAttribute("ExampleCredential",
    lc.getSubject().getPublicCredentials().iterator().next());
 
  } catch (LoginException e) { ... }
%>
<%!
  class MyListener implements
          HttpSessionBindingListener, java.io.Serializable {
      String name;
      String subjectName;
      String attrsName;
      public MyListener(String name, String subjectName, String attrsName) {
          this.name = name;
          this.subjectName = subjectName;
          this.attrsName = attrsName;
      }
      public void valueBound(HttpSessionBindingEvent ev) {}
      public void valueUnbound(HttpSessionBindingEvent ev) {
          Subject subject =
           (Subject)ev.getSession().getAttribute(subjectName);
          ev.getSession().removeAttribute(attrsName);
          ev.getSession().removeAttribute(subjectName);
          try {
              LoginContext ctx = new LoginContext(name, subject);
              ctx.logout();
          } catch (LoginException e) {}
      }
  }
%>

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd