Databases
StackOverflow2013
Postsdbo
POClear Client Side SSL State on Logout (using two-way SSL)
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POClear Client Side SSL State on Logout (using two-way SSL)
    text
    copied!<p>I'm working on a project that requires two-way authentication to identify the user to the server. The server then shows information and options available to that user based on their identity.</p> <p>I put a 'Sign out' link on the main template. The intent of this is to invalidate / clear everything and redirects them to a non-secure page that says 'You have been signed out.' with a 'Sign in' button that will redirect them back to the log in page.</p> <p>The log in page should prompt the user for their certificate (and it does, the first time). But when you click the 'Sign in' button on the Signed out page it's using the SSL state from the previous user and no certificate prompting occurs.</p> <p>What I really need is a log out method (prefer not to use java script) that will clear all cache, invalidate all session objects, AND clear the SSL state.</p> <p><em>Here's what I've done so far:</em></p> <p>1.) Set up a security constraint in web.xml that forces any page matching pattern '/secure/*' to only be accessible via https. This is working great...</p> <p>2.) Created a Filter that prevents cache...</p> <p>3.) Created a function to sign out...</p> <p>Any and all help would be GREATLY appreciated!</p> <p><strong>Filter code:</strong></p> <pre><code>@WebFilter("/secure/*") public class NoCacheFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException {} @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; httpResponse.setHeader("Cache-Control", "no-cache,no-store,must-revalidate"); httpResponse.setHeader("Pragma", "no-cache"); httpResponse.setDateHeader("Expires", 0L); // Proxies. filterChain.doFilter(servletRequest, servletResponse); } @Override public void destroy() {} } </code></pre> <p><strong>Sign out function</strong></p> <pre><code>public void signOut() { ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext(); HttpServletRequest request = (HttpServletRequest) externalContext.getRequest(); // Log Out of the Session request.logout(); // Invalidate the Session objects externalContext.invalidateSession(); if (externalContext.getRequestCookieMap().get(OPEN_TOKEN_COOKIE) != null) { externalContext.addResponseCookie(OPEN_TOKEN_COOKIE,null,Collections.&lt;String, Object&gt;singletonMap("maxAge", 0)); } // Redirect to the Sign out page String signOutURL = MessageFormat.format("http://{0}{1}/{2}",externalContext.getRequestServerName(),externalContext.getRequestContextPath(),"goodbye.jsf"); externalContext.redirect(signOutURL); } </code></pre> <p>---------------------- Edit ----------------------</p> <p>I know that I stated that I'd prefer not to use JavaScript, but I will until I can find a better solution and I'll share how I've done it with you.</p> <p>I'm using a PrimeFaces button with the action pointing to the signOut function references earlier. The oncomplete parameter points to a JavaScript that clears the SSL State for Internet Explorer and Firefox (haven't tried others yet).</p> <p><strong>Sign out button</strong></p> <pre><code>&lt;p:commandButton value="Sign out" action="#{adminNavigationBean.signOut}" oncomplete="clearSSLState();" styleClass="commandButton"/&gt; </code></pre> <p><strong>JavaScript clearSSLState()</strong></p> <pre><code>&lt;script type="text/javascript"&gt; function clearSSLState() { document.execCommand("ClearAuthenticationCache"); window.crypto.logout(); } &lt;/script&gt; </code></pre> <p>It's important to note that my goodbye.xhtml page is NOT in my /secure/ folder. If it was, the user would be immediately prompted to select a certificate. This is caused by the security-constraint in web.xml and is the correct behavior.</p> <p><strong>web.xml security-constraint</strong></p> <pre><code>&lt;security-constraint&gt; &lt;web-resource-collection&gt; &lt;web-resource-name&gt;Protected Context&lt;/web-resource-name&gt; &lt;url-pattern&gt;/secure/*&lt;/url-pattern&gt; &lt;/web-resource-collection&gt; &lt;user-data-constraint&gt; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt; &lt;/user-data-constraint&gt; &lt;/security-constraint&gt; </code></pre> <p>Hope this helps others.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload