Bug 975752 - A user isn't properly logged out in BASIC auth method
A user isn't properly logged out in BASIC auth method
Status: CLOSED NOTABUG
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity unspecified
: ER3
: 6.0.0
Assigned To: Jervis Liu
Ivo Bek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-19 05:29 EDT by Ivo Bek
Modified: 2013-11-07 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-23 07:33:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivo Bek 2013-06-19 05:29:31 EDT
Description of problem:

When I set BASIC auth method instead of FORM auth method, business central log out doesn't work and behaviors strange for multiple users.

First, I log in as a user1. In the business central I'm not able to log out; it just refresh the home page.

Second, I close the browser and log in as a user2. The business central still shows that I'm logged as a user1.

The important thing is the business central just doing this wrong behavior while BASIC auth method is set.

FYI, this is my web.xml part of login-config:
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ApplicationRealm</realm-name>
</login-config>

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jervis Liu 2013-09-16 09:03:18 EDT
Not a bug.

It is wrong to configure the whole webapp with basic authentication. Basic authentication is a per-request based authentication mechanism, it should only be used in circumstances like http based API access eg REST etc.

Thus Basic authentication can not be used in web.xml to configure the whole web application. On the other hand, Basic authentication is already supported under the scene without any explicit configuration. If you send a http request with "Authorization" header to the REST server, the server will authentication the request using Basic authentication. If you send a http request without "Authorization" header, the server wont know which authentication schema the client is preferred thus the client will receive a login page as a challenge with 401 response code.
Comment 2 Ivo Bek 2013-09-23 07:33:39 EDT
Well this bug is quite out-dated and now it doesn't make sense to change the login config when we have https://bugzilla.redhat.com/show_bug.cgi?id=986208, so I think we can close it.

Note You need to log in before you can comment on or make changes to this bug.