[JASPIC_SPEC-6] Support for HttpServletRequest#logout Created: 14/Feb/13  Updated: 27/Feb/13  Resolved: 27/Feb/13

Status: Resolved
Project: jaspic-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: arjan tijms Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


Servlet 3.0 introduced the HttpServletRequest#logout method.

Invoking this method does not seem to cause any method on a configured auth module to be invoked. This makes it impossible for an auth module to fully manage the authentication session. A specific use case is the implementation of a "remember me" functionality. For this the auth module can e.g. insert a cookie into the response after a successful initial authentication. This cookie should then live beyond a session expiration, but has to be removed when a user explicitly log outs.

Without the auth module being notified of such an explicit logout invocation, there is no opportunity to remove said cookie.

Comment by arjan tijms [ 17/Feb/13 ]

After investigating what the most well known implementations (JBoss, GlassFish, Geronimo, WebLogic and WebSphere) do, it appears that in none of them HttpServletRequest#logout causes any method on a SAM to be invoked, except for Geronimo. In Geronimo calling logout() causes cleanSubject() on the SAM to be invoked.

p.s. JASPIC_SPEC-4 also mentions logout.

Comment by monzillo [ 27/Feb/13 ]

this issue will be addressed under issue 4

Comment by monzillo [ 27/Feb/13 ]


Generated at Sat Mar 25 18:29:00 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.