Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

application security vs container managed security and access to session object in bean

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Hello,

for an application managed authentication I use a derby database. In the UserBean the logout() method is called in case the user logs out. However, in the first code sample the session object is always null. If the declaration and definition of the variables facesContext and session is included inside the logout() method then it works (code sample 2)!? Shouldn't the session object be only once initialized and then stay the same for the duration of the session? Why is that?

Code sample 1:


Code sample 2:


Would the given logout() method be a good example (application managed authentication) of executing a logout or did I miss something? Will the server make the client to delete the cookie (on the client) or will the server just destroy the session object related to that specific client? How can I test the correct behaviour (e.g. check whether the correct object is being deleted)?

For container managed authentication would a logout method look the same as above?

Hints / questions on any of these questions much appreciated since I cannot find answers in the literature.

Regards,

Dom
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Welcome to the JavaRanch, Dom!

I could actually try and comprehend your question, but that's too much work too early in the morning. So I'll make some general observations and see if they fit.

In J2EE, there's a bit of a blur between a container-managed security session and HTTPsession. I think that starting in JEE, they've begun to make more of a distinction, but that's another matter.

In any event, in J2EE, the way to log out of a container-managed security session is to invoke session.invalidate(), as your examples do.

But sessions are more than just security. You MUST have (will be supplied with) an HttpSession when you're logged in with CMS, but you CAN have an HTTPSession without being logged in!

JSF tends to confuse the issue. If a JSF process logs out via session.invalidate(), the security session will be destroyed, as will any session data attributes such as session-scope bakcing beans. But JSF uses HTTPSession more frequently than other frameworks. For example, if you display a post-logout screen that references a session-scope backing bean, a NEW session will be created to contain it. This new session won't (yet) be secured - unless the post-logout screen is secured - and it won't have any of the previously-discarded session objects in it, but it will contain the new session objects.
 
Dom McMillan
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Thanks for the welcome and your answer, Tim!

Since I opened already another thread with a more specific question may I close this thread and link to the other? I will then include questions there.

Here we go: https://coderanch.com/t/547156/JSF/java/After-logout-JSF-relogin-withtout
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
I'll close and lock this one for you.
 
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic