Bug 975752

Summary: A user isn't properly logged out in BASIC auth method
Product: [Retired] JBoss BPMS Platform 6 Reporter: Ivo Bek <ibek>
Component: Business CentralAssignee: Jervis Liu <jliu>
Status: CLOSED NOTABUG QA Contact: Ivo Bek <ibek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: jliu, mproctor, rzhang
Target Milestone: ER3   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 11:33:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivo Bek 2013-06-19 09:29:31 UTC 
Description of problem:

When I set BASIC auth method instead of FORM auth method, business central log out doesn't work and behaviors strange for multiple users.

First, I log in as a user1. In the business central I'm not able to log out; it just refresh the home page.

Second, I close the browser and log in as a user2. The business central still shows that I'm logged as a user1.

The important thing is the business central just doing this wrong behavior while BASIC auth method is set.

FYI, this is my web.xml part of login-config:
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ApplicationRealm</realm-name>
</login-config>

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jervis Liu 2013-09-16 13:03:18 UTC 
Not a bug.

It is wrong to configure the whole webapp with basic authentication. Basic authentication is a per-request based authentication mechanism, it should only be used in circumstances like http based API access eg REST etc.

Thus Basic authentication can not be used in web.xml to configure the whole web application. On the other hand, Basic authentication is already supported under the scene without any explicit configuration. If you send a http request with "Authorization" header to the REST server, the server will authentication the request using Basic authentication. If you send a http request without "Authorization" header, the server wont know which authentication schema the client is preferred thus the client will receive a login page as a challenge with 401 response code.
Comment 2 Ivo Bek 2013-09-23 11:33:39 UTC 
Well this bug is quite out-dated and now it doesn't make sense to change the login config when we have https://bugzilla.redhat.com/show_bug.cgi?id=986208, so I think we can close it.