You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Markus Kirsten <ma...@iped.vxu.se> on 2002/06/07 19:49:58 UTC
Logout using FORM based authentication
Hi,
I use a JDBC Realm with FORM based authentication but haven't figured
out a way for users to log out. Is it just to call session.invalidate()
or is there any better way to do it?
Markus
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Logout using FORM based authentication
Posted by Eric Everman <ev...@precedadesign.com>.
There are definitely some issues involved here.
If you are working on a company site that will restrict access of the site
to a list of people that is managed separately (ie the HR department or IT
department adds a person as a user who is allowed to access the site),
container managed security is for you.
If you are working on a site that you want to allow visitors to create
profiles / logins on the fly, stick with your existing session key system.
The 'key' reason is this: The servlet API provides no access to login
mechanism - you cannot programmatically log a user in. So if you direct a
user to a 'create new login' page, you have no way to cause the user to be
logged in after they have finished creating the login. You can have your
user's create a profile on one page, save the results to your security db,
then have the user login on another page that posts to j_security_check,
but there is no way to do it in one step - very confusing for casual visitors.
One nice feature of the 2.3 spec is filters, which to some degree will
allow you to extend you session key security to behave *similarly* to the
declarative security of the CMA. By that I mean that by using a filter,
you can configure the security in the web.xml file, rather then having to
add tags or other logic to pages in order to protect them.
Best of luck,
Eric Everman
At 03:12 PM 6/7/2002, you wrote:
>Hi Eric,
>Thank you for verifying that. I've actually made my own authentication
>before but when I read about container-managed authentication I realised
>that that was exactly what I was looking for.
>
>Is there any reason for keeping the users login as a session attribute or
>is it better to use request.getRemoteUser() ? What's the praxis?
>
>
>Markus
>
>
>On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote:
>
>>Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was
>>no longer logged in. The 2.3 servlet spec states that a client is logged
>>out when their session is invalidated. So if Tomcat works as advertised,
>>session.invalidate() should do what you expect.
>>
>>Eric Everman
>>
>>At 12:49 PM 6/7/2002, you wrote:
>>>Hi,
>>>I use a JDBC Realm with FORM based authentication but haven't figured
>>>out a way for users to log out. Is it just to call session.invalidate()
>>>or is there any better way to do it?
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Logout using FORM based authentication
Posted by Markus Kirsten <ma...@iped.vxu.se>.
Hi Eric,
Thank you for verifying that. I've actually made my own authentication
before but when I read about container-managed authentication I realised
that that was exactly what I was looking for.
Is there any reason for keeping the users login as a session attribute
or is it better to use request.getRemoteUser() ? What's the praxis?
Markus
On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote:
> Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was
> no longer logged in. The 2.3 servlet spec states that a client is
> logged out when their session is invalidated. So if Tomcat works as
> advertised, session.invalidate() should do what you expect.
>
> Eric Everman
>
> At 12:49 PM 6/7/2002, you wrote:
>> Hi,
>> I use a JDBC Realm with FORM based authentication but haven't figured
>> out a way for users to log out. Is it just to call
>> session.invalidate() or is there any better way to do it?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Logout using FORM based authentication
Posted by Eric Everman <ev...@precedadesign.com>.
Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was no
longer logged in. The 2.3 servlet spec states that a client is logged out
when their session is invalidated. So if Tomcat works as advertised,
session.invalidate() should do what you expect.
Eric Everman
At 12:49 PM 6/7/2002, you wrote:
>Hi,
>I use a JDBC Realm with FORM based authentication but haven't figured out
>a way for users to log out. Is it just to call session.invalidate() or is
>there any better way to do it?
>
>
>Markus
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>