AnsweredAssumed Answered

Logout-Problems in the Activiti Explorer

Question asked by b.schnarr on Apr 24, 2014
Latest reply on Feb 8, 2016 by rohitsingh
I succeeded in implementing a SSO-Login based on an IBM LTPA2-Token. Therefore, I implemented a method
public LoggedInUser authenticate(HttpServletRequest request,HttpServletResponse response)
in the DefaultLoginHander.java which gives back a LoggedInUser. The login is not the problem.

The problem is the logout. When I click on the logout button, the page reloads and I simply land on the default page as the same LoggedInUser even though I deleted the LTPA2-Token from the Browser-Cookies.

In the ExplorerApp, you check the LoggedInUser before executing the authenticate-methods:


  public void onRequestStart(HttpServletRequest request, HttpServletResponse response) {
    // Set current application object as thread-local to make it easy accessible
    current.set(this);
   
    // Authentication: check if user is found, otherwise send to login page
    LoggedInUser user = (LoggedInUser) getUser();
    if (user == null) {
      // First, try automatic login
      user = loginHandler.authenticate(request, response);
      if(user == null) {
        if (mainWindow != null && !mainWindow.isShowingLoginPage()) {
          viewManager.showLoginPage();
        }
      } else {
        setUser(user);
      }
    }

    if(user != null) {
      Authentication.setAuthenticatedUserId(user.getId());
      if (mainWindow != null && mainWindow.isShowingLoginPage()) {
        viewManager.showDefaultPage();
      }
    }
   
    // Callback to the login handler
    loginHandler.onRequestStart(request, response);
  }


I found out, that after I click on logout, the
LoggedInUser user = (LoggedInUser) getUser();
is not null which means that the authenticate-methods get skipped and this will be executed:


    if(user != null) {
      Authentication.setAuthenticatedUserId(user.getId());
      if (mainWindow != null && mainWindow.isShowingLoginPage()) {
        viewManager.showDefaultPage();
      }
    }

That leads to the problem that I end up on the same page as before still as a logged in user.

I have no idea, why. In my understanding, the following happens when the logout-Button is clicked:

1.)  ExplorerApp.close() gets executed
2.) Within that, getLoginHandler().logout(theUser) gets executed
3.) Logout is finished, page gets reloaded and you end up in the ExplorerApp onRequestStart method, where the authenticate-Methods are.

I use the defaultLoginHandler.onRequestStart to delete the LTPA2Token, when LogoutButton is pressed. This works well.
But to summarize: I click on logout and I am still logged in as the same user because
LoggedInUser user = (LoggedInUser) getUser();
is not null.

Here my code snippets:

DefaultLoginHander.onRequestStart


public void onRequestStart(HttpServletRequest request, HttpServletResponse response) {
      if(logout){
       Cookie[] cookies = request.getCookies();
       if(cookies != null){
          for (Cookie cookie : cookies){
             if(cookie.getName().equals("LtpaToken2")){
               Cookie newCookie = new Cookie("LtpaToken2", cookie.getValue());
               newCookie.setPath("/");
               newCookie.setMaxAge(0);
               newCookie.setDomain("****");
               response.addCookie(newCookie);
             }
          }
       }
       logout = false;
      }
   }


DefaultLoginHandler.logout:


   public void logout(LoggedInUser userToLogout) {
      // Clear activiti authentication context
      Authentication.setAuthenticatedUserId(null);
      logout = true;
   }


ExplorerApp.close

  public void close() {
    final LoggedInUser theUser = getLoggedInUser();
   
    // Clear the logged in user
    setUser(null);
   
    // Call loginhandler
    getLoginHandler().logout(theUser);
   
    invalidatedSession = false;
    super.close();
  }


ExplorerApp.onRequestStart:


public void onRequestStart(HttpServletRequest request, HttpServletResponse response) {
    // Set current application object as thread-local to make it easy accessible
    current.set(this);  
   
    if(loginHandler.getLogoutStatus()){
       setUser(null);
    }
   
    // Authentication: check if user is found, otherwise send to login page
    LoggedInUser user = (LoggedInUser) getUser();
   
   //Delete LTPA2-Token when Logout
    loginHandler.onRequestStart(request, response);
   
    if (user == null) {
       System.out.println("User ist null, Login procedure");
      // First, try automatic login
     //LTPA2-SSO-Login
      user = loginHandler.authenticate(request, response);
      if(user == null) {
        if (mainWindow != null && !mainWindow.isShowingLoginPage()) {
          viewManager.showLoginPage();
        }
      } else {
        setUser(user);
      }
    }
   
    if(user != null) {
      Authentication.setAuthenticatedUserId(user.getId());
      if (mainWindow != null && mainWindow.isShowingLoginPage()) {
        viewManager.showDefaultPage();
      }
    }
   
    // Callback to the login handler
    //loginHandler.onRequestStart(request, response);
  }



Has anyone an idea? Even though I make


    if(loginHandler.getLogoutStatus()){
       setUser(null);
    }


The loggedInUser is not null and therefore, the authenticate-methods get skipped.
Help is highly appreciated

Best regards
Ben

Outcomes