openid logging out
100 views
Skip to first unread message
Matthew Pocock
May 25, 2012, 7:32:00 AM5/25/12
to gwtse...@googlegroups.com
Hi,
I have built an app by extending your openid example. The login and logout work well at the gwt application level. However, once a user has signed in to my app using openid, the next time they aren't challenged with a username/password. This firstly means that anybody with access to that computer can use the app as them. Secondly, it means that if two people need to access my app from the same computer, they can't, because it has remembered the first user.
Is there some extra magic that I need to add so that on each login via openid, the user is challenged with a username and password?
Thanks,
Matthew
--
Dr Matthew Pocock
Integrative Bioinformatics Group, School of Computing Science, Newcastle University
mailto: turingate...@gmail.com
gchat: turingate...@gmail.com
irc.freenode.net: drdozer
skype: matthew.pocock
tel: (0191) 2566550
mob: +447535664143
葉冠宏
May 25, 2012, 10:58:38 AM5/25/12
to gwtse...@googlegroups.com
Matthew:
I have to say that it indeed a problem to sign out openId even your client sign out gwt-appliation from
According this post mentioned, Some opendId servers like google or yahoo provide a logout url.
So my suggestion is to modify applicationContext-security.xml's logoutSuccessHandler property "logoutSuccessUrl", set it to the openId server's logout url to total logout both sites.
Good luck
Kent
--
I have to say that it indeed a problem to sign out openId even your client sign out gwt-appliation from
/j_spring_security_logout url, because next time spring security will try to exchange user's attribute with openId server again. According this post mentioned, Some opendId servers like google or yahoo provide a logout url.
So my suggestion is to modify applicationContext-security.xml's logoutSuccessHandler property "logoutSuccessUrl", set it to the openId server's logout url to total logout both sites.
Good luck
Kent
2012/5/25 Matthew Pocock <turingate...@gmail.com>
--
Matthew Pocock
May 25, 2012, 11:30:56 AM5/25/12
to gwtse...@googlegroups.com
Hi Kent,
Thanks for that. I've had a read through that thread, but it sounds like using one of those openid URLs logs you entirely out of your account. For example, using the google one logs me out of gmail as well as my application. This is certainly not what I want to do! I just want that next time I try to log into my app through (e.g.) google openid that it doesn't just automatically log me through as the previous user.
I'm not sure how openid knows that it is me the 2nd time since I haven't told it. Presumably the spring openid stuff must be remembering my identity somehow between sessions, but I don't know how.
Matthew
葉冠宏
May 26, 2012, 2:37:43 AM5/26/12
to gwtse...@googlegroups.com
Hi:
Most openId provider keep sesion unil browser closed, Because ss(spring security) depend on openId login,So if openId provider is not expired, ss is also not expired too.(even ss session is timeout, ss will try to recover user principal called "Session Reset").
The totally sign out only happen when both your site and openId site session expired. so my suggestion is not to provide a sign-out anchor in your applcation and set session timeout shortly as possible(ex 30 mins).
OpenId has has some security issues, So I don't want to provide a external openId except my own.
Kent
--
順頌時祺
葉冠宏
Most openId provider keep sesion unil browser closed, Because ss(spring security) depend on openId login,So if openId provider is not expired, ss is also not expired too.(even ss session is timeout, ss will try to recover user principal called "Session Reset").
The totally sign out only happen when both your site and openId site session expired. so my suggestion is not to provide a sign-out anchor in your applcation and set session timeout shortly as possible(ex 30 mins).
OpenId has has some security issues, So I don't want to provide a external openId except my own.
Kent
2012/5/25 Matthew Pocock <turingate...@gmail.com>
--
順頌時祺
葉冠宏
Reply all
Reply to author
Forward
0 new messages