10 Replies Latest reply: Jan 22, 2013 3:37 AM by Brent Harlow RSS

    logoutDestinationURL ignored by JHS AuthenticationFilter

    Brent Harlow
      Hi Steven,

      JDeveloper :
      JHeadstart :

      I have created a basic ADF app using JHeadstart
      - New application
      - Add JHS_USERS entity/view object/AppModule to Model project
      - Enable JHeadstart on view project
      - Set "Authentication Type" = custom
      - Set "Authorization Type" = custom
      - Select Secure all Pages
      - Select Authorize using group permissions
      - Create JHeadstart definition for AppModule

      What I want to achieve is to change the jhsAuthenticationFilter logoutDestinationURL parameter to an external web address. The problem is, the user is never being forwarded to this.

      I put a breakpoint in the oracle.jheadstart.controller.jsf.AuthenticationFilter class at the point where it checks the request URL (line 223). I then followed this process ...

      1. Run UIShell.jspx
      2. Log in to the application
      3. Click on the logout link
      4. The requestURL is "/faces/security/pages/Logout.jspx" - as per the logoutURL parameter
      5. As the user is logged in, the code moves to check if the requestURL ends with logoutURL (which it does)
      6. session.invalidate(); is called
      *7. The code below this call (line 263 onwards) never gets run - after the session.invalidate(), the AuthenticationFilter is immediately called again with the request of /faces/UIShell*
      8. As the user is not logged in (session has been invalidated), user is forwarded to the loginUrl, the code to redirect the user to the logoutDestinationUrl is never run ?

      Can you replicate this ? I can send the test case if you like.


      Edited by: Brent Harlow on Jan 16, 2013 5:26 PM

      This only fails to work when using IE9 - in Firefox and Chrome it's fine - I've had other issues with IE9 and the call to session.invalidate() - I'm guessing that something in combination with weblogic 10.3.5 and IE9 that is not working when you try and invalidate the session !