I have an application that requires you to log-in. Authentication is done using TomcatJDBC Security Realm.
My question is how can I create a function that allows someone to logout, meaning their session is killed and if they want to hit the login screen wishing to login under a new profile they will have that chance and not be immediately authenticated.
Thanks,
Luke
Luke
SCJP
Keith Pitty
Ranch Hand
Joined: Sep 22, 2005
Posts: 32
posted
0
Use a servlet for the purpose of logging out and in that servlet invalidate the session. For example:
[ September 27, 2005: Message edited by: Keith Pitty ]
'Removing authentication details' is different depending on the container you are using, but Keith's code will work in Tomcat.
Wally Hartshorn
Ranch Hand
Joined: Jan 30, 2003
Posts: 77
posted
0
I've just started tackling this exact same problem and came across this thread. I've created the servlet as suggested, but after logging out, when I try to log in again, I get this error message in my browser:
Here's Logout.java:
Any suggestions on what I'm doing wrong? [ September 30, 2005: Message edited by: Wally Hartshorn ]
Just to be sure: I'm assuming the different Logout form mapping and code sample package doesn't have anything to do with it?
Wally Hartshorn
Ranch Hand
Joined: Jan 30, 2003
Posts: 77
posted
0
Originally posted by David O'Meara: Just to be sure: I'm assuming the different Logout form mapping and code sample package doesn't have anything to do with it?
Nah, that was just a mistake in my cutting/pasting and editing of the message.
After posting my message, I wondered whether the fact that my login page was named "login.html" (rather than "login.jsp") would have something to do with it. So I tried renaming the file to "login.jsp" (even though it doesn't currently have any JSP code in it) and made the corresponding changes to the web.xml and Logout.java code. Then when I logged out, I got this message:
HTTP Status 400 - Invalid direct reference to form login page
Okay, so apparently trying to go directly to login.jsp is a no-no. So I changed my Logout.java code to forward to the main page of the web app, on the assumption that it would instead redirect to display the login page. Instead, it displayed the main page, but would not display an image that was on the page. Apparently, since the Logout servlet said to display the page, that was allowed, but none of the stuff requested by that page would be allowed until the user logged in.
Hmm... Still stuck! Any ideas?
Wally Hartshorn
Ranch Hand
Joined: Jan 30, 2003
Posts: 77
posted
0
I think I just solved my problem.
In my Logout.java class, I changed this:
to this:
For whatever reason, that seems to have done the trick! I got the idea from this snippet in Tomcat's "webapps\jsp-examples\security\protected\index.jsp" code:
Here's the final Logout.java class:
(If anyone sees any "gotchas" to this method, please let me know!)
OK, you're quite right. The original problem is a bit convoluted and I'm not sure I understand it myself (interaction between Struts, Post and the RequestDispatcher) but good job for solving it and thanks for the update.
Srinivasa Kadiyala
Ranch Hand
Joined: Jun 10, 2004
Posts: 237
posted
0
I have used this code for one of my applications and notced that after I log-out, when I click the browser back button, the previous page when I logged-on is appreaing. It should not if I log out and killing the session.
Please start a new thread and provide a link refering to this thread. The original problem has been solved and people are less likely to join the conversation and help you out.
0
