tags:

views:

144

answers:

2
+2  Q: 

Servlet 3.0 logout doesn't work

I've got a problem with the authentication features of Servlet 3.0:

With this code in a Servlet v3: 

log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
log.info("===^===");
request.logout() ;
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
request.authenticate(response) ;
log.info("===v===");
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());

I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...

Admin

BASIC

===^===

null

null

===v===

Admin

BASIC

Is it a problem with my firefox, or something I'm missing in the Servlet code?

+1  A: 

It's neither. Once logged in, the browser will always pass your user id and password to the url. Until you restart your browser. As far as I know each browser does that. And as far as I know there's currently no way to tell the browser to forget about the credentials.

However, you'll see your session will be different once you logged out. The usual solution is to add a variable of some kind to the session. Say "loggedin". If this variable is missing you know the user has to log in first and you'll redirect to say login.jsp. And once the user passed this jsp you set this variable again.

Using filters you can enforce this system-wide.

Jan Goyvaerts  2010-05-23 13:01:28
How would such a login.jsp look like? I want the user of my web application to be able to login with a different account using basic authetication.
kuester2000  2010-06-10 15:45:41
+1  A: 

I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...

That's the way HTTP BASIC AUTH was designed, it allows all authenticate state to be kept in the client. In other words, its impossible to logout with basic/digest authentication, the server cannot stop a client from caching and resending a BASIC auth authenticator on subsequent requests to the server.

My suggestion is to use form based authentication and the login method of HTTPServletRequest.

References

Pascal Thivent  2010-05-23 14:46:50
the form based authentication seems to work correctly, although the BASIC popup box was quite conveniant, I guess I'm not the only one who tried to use it this way!
Kevin  2010-05-23 18:31:37

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java