I have an application that requires you to log-in. Authentication is done using TomcatJDBC Security Realm.
My question is how can I create a function that allows someone to logout, meaning their session is killed and if they want to hit the login screen wishing to login under a new profile they will have that chance and not be immediately authenticated.
I've just started tackling this exact same problem and came across this thread. I've created the servlet as suggested, but after logging out, when I try to log in again, I get this error message in my browser:
Any suggestions on what I'm doing wrong? [ September 30, 2005: Message edited by: Wally Hartshorn ]
Just to be sure: I'm assuming the different Logout form mapping and code sample package doesn't have anything to do with it?
Joined: Jan 30, 2003
Originally posted by David O'Meara: Just to be sure: I'm assuming the different Logout form mapping and code sample package doesn't have anything to do with it?
Nah, that was just a mistake in my cutting/pasting and editing of the message.
After posting my message, I wondered whether the fact that my login page was named "login.html" (rather than "login.jsp") would have something to do with it. So I tried renaming the file to "login.jsp" (even though it doesn't currently have any JSP code in it) and made the corresponding changes to the web.xml and Logout.java code. Then when I logged out, I got this message:
HTTP Status 400 - Invalid direct reference to form login page
Okay, so apparently trying to go directly to login.jsp is a no-no. So I changed my Logout.java code to forward to the main page of the web app, on the assumption that it would instead redirect to display the login page. Instead, it displayed the main page, but would not display an image that was on the page. Apparently, since the Logout servlet said to display the page, that was allowed, but none of the stuff requested by that page would be allowed until the user logged in.
Hmm... Still stuck! Any ideas?
Joined: Jan 30, 2003
I think I just solved my problem.
In my Logout.java class, I changed this:
For whatever reason, that seems to have done the trick! I got the idea from this snippet in Tomcat's "webapps\jsp-examples\security\protected\index.jsp" code:
Here's the final Logout.java class:
(If anyone sees any "gotchas" to this method, please let me know!)
OK, you're quite right. The original problem is a bit convoluted and I'm not sure I understand it myself (interaction between Struts, Post and the RequestDispatcher) but good job for solving it and thanks for the update.
I have used this code for one of my applications and notced that after I log-out, when I click the browser back button, the previous page when I logged-on is appreaing. It should not if I log out and killing the session.