Thanks a lot for your quick reply Jared. I tried to return a 401 but it doesn't seem to cause the web browser (Firefox in this case) to drop the user and password from its cache. If I do a refresh then the cached user is automatically re-authenticated again.
Very annoying... We're developing an Ajax application which is the reason why we don't want to redirect to a specific login page (that could use form based login). If the user actively logs out then it's OK to redirect to a login page but if the session times out, then we want to stay on the same page so that the user can continue working after having specified its user and password again. Basic authentication is not a requirement for me but it seemed like an easy way to avoid redirecting to a dedicated login page. Is there a way to accomplish an "ajax login" using Shiro? Is there a best practice for it? Thanks, /Bengt 2011/11/2 Jared Bunting <[email protected]> > On Wed 02 Nov 2011 09:52:24 AM CDT, Bengt Rodehav wrote: > > I'm using Shiro together with the http service in Apache Karaf which > > in turn uses Jetty under the hood. I use Shiro 1.1. > > > > I've created my own AuthorizingRealm since we have a legacy system > > that I redirect the authentication to. This seems to work and I can > > get the currently logged in user as follows: > > > > Subject subject = SecurityUtils.getSubject(); > > > > When calling the "isAuthenticated" method I can see that the user is > > logged in. > > > > However, on each call from the web browser to my web application, a > > new authentication is being made. This means that I can't really log > > out the user neither explicitly nor by session timeout. If I call > > > > subject.logout() > > > > I can see that the user is indeed logged out since "isAuthenticated" > > then returns false. But on the next request from the web browser the > > user is authenticated again and a new session is created. If I restart > > the web browser then I have to login again but as long as the web > > browser is running the user seems to be automatically > > re-authenticated. I use basic authentication and the behaviour is the > > same in both Chrome and Firefox. > > > > Obviously I haven't understood how these things work. Can anyone > > explain to me how I can log out a user both explicitly and via session > > timeout? > > > > /Bengt > > If I understand what you're describing correctly, you are running into > a browser behavior. Typically, when using HTTP BASIC authentication, > the browser will cache the user's name and password, and send the auth > header with every single request. This is very useful behavior for > stateless webapps that require authentication. It's less useful when > you're already tracking a known user. > > Unfortunately, I know of no way to alter this behavior. One thing you > could try is, when logging a user out, return a 401. This should cause > the browser to re-ask the user for a username/password, which they > could cancel. So, while that's the best that I can offer, it sounds > like a crappy UI. > > If you have a page-based, user-navigable webapp, you might consider > using form authentication instead of basic. It avoids this issue > completely. > > Sorry I could not be of more help. > > -Jared >
