When logins and logouts are implemented without using the Subject and when the LoginContext instance created at the time of login is used at the time of logout, logout may fail depending on the login module settings.

Use the Subject when implementing login and logout. The following is an example of the implementation that should be avoided.

• Login and logout implementation that should be avoided
  

  <%LoginContext lc = new LoginContext("Portal", new WebPasswordHandler(request, response, null, "login.html", true)); try { lc.login(); } catch (LoginException e) { ... } session.setAttribute("loginContext", lc); %> ... <% LoginContext lc = (LoginContext)event.getSession().getAttribute("loginContext"); try { lc.logout(); } catch (LoginException e) { ... } %> ...

Note: The lines in bold letters must not be included in implementation.

• Login and session timeout logout implementation that should be avoided
  

  ... <%LoginContext lc = new LoginContext("Portal", new WebPasswordHandler(request, response, null, "login.html", true)); try { lc.login(); } catch (LoginException e) { ... } session.setAttribute("loginContext", lc); %> ... <%@ page import="javax.security.auth.login.LoginContext" %> ... <% session.setAttribute("logoutObject", new HttpSessionBindingListener() { public void valueBound(HttpSessionBindingEvent event) {} public void valueUnbound(HttpSessionBindingEvent event) { LoginContext lc = (LoginContext)event.getSession().getAttribute("loginContext"); try { lc.logout(); } catch (LoginException e) { ... }; } };); %> ...

Note: The lines in bold letters must not be included in implementation.

When implementing the sessions to reference and obtain user information, please note that:

• Changes in the UserAttributes object values are not applied to the repository. The obtained attributes are not modified in the user authentication library.
• The attributes registered in the UserAttributes object is in the String type only.
• If no attributes are specified in the attribute list, a null character is assigned.