You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Ben Short <be...@benshort.co.uk> on 2009/10/13 22:20:18 UTC
Logout
Hi,
I need to add a link that allows users to logout of my website. After
trawling the web I haven't found a way to logout a user while using
http basic authentication.
This seems like a bit of a killer for me. Can anyone suggest how I
might proceed?
Regards
Ben Short
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
I'm wondering about the following as a not so elegant solution to the
logout 'issue'
Create a filter that will be the first filter in the filter chain if
would do something like as follows..
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpSession httpSession = ((HttpServletRequest)request).getSession(false);
String basicAuth = null;
if ( httpSession != null ) {
basicAuth = (String)httpSession.getAttribute("basicAuth");
}
if ( basicAuth != null ) {
// wrap the request so that when the basic auth header is requested
the basicAuth is returned.
// wrap the response so that is te basic auth header is set its not
set on the encapsulated
// responce but we can get it in this filter.
chain.doFilter(wrapRequest(request, basicAuth), wrapResponce(response));
basicAuth = ((OurHttpServletResponse)response).getHeader("authorization ");
if ( basicAuth != null ) {
httpSession = ((HttpServletRequest)request).getSession(true);
httpSession.setAttribute("basicAuth", basicAuth);
}
} else {
chain.doFilter(request, response);
}
}
This would ensure that a http session stuck around and could be
invalidated and therefore logging out the user.
Any thoughts?
Regards
Ben
2009/10/14 Ben Short <be...@benshort.co.uk>:
> I just googled, should of done before asking my last question, and see
> that the value in the basic auth header is the the user name and
> password Base64 encoded.
>
> 2009/10/14 Ben Short <be...@benshort.co.uk>:
>> What is the value in the basic auth header and how does it relate to
>> the user? and where are the user details stored?
>>
>>
>> 2009/10/13 Alexander Klimetschek <ak...@day.com>:
>>> On Tue, Oct 13, 2009 at 22:20, Ben Short <be...@benshort.co.uk> wrote:
>>>> I need to add a link that allows users to logout of my website. After
>>>> trawling the web I haven't found a way to logout a user while using
>>>> http basic authentication.
>>>>
>>>> This seems like a bit of a killer for me. Can anyone suggest how I
>>>> might proceed?
>>>
>>> You can send an XHR request with invalid credentials (using
>>> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
>>> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>>>
>>> Regards,
>>> Alex
>>>
>>> --
>>> Alexander Klimetschek
>>> alexander.klimetschek@day.com
>>>
>>
>
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
I just googled, should of done before asking my last question, and see
that the value in the basic auth header is the the user name and
password Base64 encoded.
2009/10/14 Ben Short <be...@benshort.co.uk>:
> What is the value in the basic auth header and how does it relate to
> the user? and where are the user details stored?
>
>
> 2009/10/13 Alexander Klimetschek <ak...@day.com>:
>> On Tue, Oct 13, 2009 at 22:20, Ben Short <be...@benshort.co.uk> wrote:
>>> I need to add a link that allows users to logout of my website. After
>>> trawling the web I haven't found a way to logout a user while using
>>> http basic authentication.
>>>
>>> This seems like a bit of a killer for me. Can anyone suggest how I
>>> might proceed?
>>
>> You can send an XHR request with invalid credentials (using
>> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
>> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>>
>> Regards,
>> Alex
>>
>> --
>> Alexander Klimetschek
>> alexander.klimetschek@day.com
>>
>
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
What is the value in the basic auth header and how does it relate to
the user? and where are the user details stored?
2009/10/13 Alexander Klimetschek <ak...@day.com>:
> On Tue, Oct 13, 2009 at 22:20, Ben Short <be...@benshort.co.uk> wrote:
>> I need to add a link that allows users to logout of my website. After
>> trawling the web I haven't found a way to logout a user while using
>> http basic authentication.
>>
>> This seems like a bit of a killer for me. Can anyone suggest how I
>> might proceed?
>
> You can send an XHR request with invalid credentials (using
> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
>
Re: Logout
Posted by Alexander Klimetschek <ak...@day.com>.
On Tue, Oct 13, 2009 at 22:20, Ben Short <be...@benshort.co.uk> wrote:
> I need to add a link that allows users to logout of my website. After
> trawling the web I haven't found a way to logout a user while using
> http basic authentication.
>
> This seems like a bit of a killer for me. Can anyone suggest how I
> might proceed?
You can send an XHR request with invalid credentials (using
?sling:authRequestLogin=1). Note that this works on Firefox and IE
only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
Regards,
Alex
--
Alexander Klimetschek
alexander.klimetschek@day.com
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
Hi,
Thanks for all this information.
It would be very handy for me and probably others if a good working
example was put together showing how this all works.
Regards
Ben Short
2009/10/15 Alexander Klimetschek <ak...@day.com>:
> On Wed, Oct 14, 2009 at 19:04, Paul McMahon <or...@yahoo.com> wrote:
>> Here's an explanation of why you can't do a basic auth logout:
>>
>> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>>
>> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>
> As I noted, you can with some tricks, using XHR (ajax). Although my
> first answer was a bit wrong. Here is how you do it. For IE, you can
> manually clear the cache with a javascript function, although that
> removes all credentials currently cached IIRC. For Firefox, you simply
> force a login in sling with the anonymous user:
>
> if (document.all) {
> // Internet Explorer: 'ClearAuthenticationCache' is only available in IE
> document.execCommand('ClearAuthenticationCache');
>
> } else {
> var xmlhttp;
> if (window.XMLHttpRequest) {
> xmlhttp = new XMLHttpRequest();
> } else if (window.ActiveXObject) {
> try {
> xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
> } catch (ex) {
> try {
> xmlhttp = new ActiveXObject('Microsoft.XMLHTTP');
> } catch (ex) {}
> }
> }
> if (xmlhttp.readyState < 4) {
> xmlhttp.abort();
> }
> // Firefox/Mozilla: use anonymous "login" to trigger a "logout"
> xmlhttp.open('GET', '/?sling:authRequestLogin=1', false,
> 'anonymous', 'null');
> xmlhttp.send('');
> }
>
> For Safari, Chrome and Opera you have to use the Authorization cookie,
> as noted before.
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
>
Re: Logout
Posted by Alexander Klimetschek <ak...@day.com>.
On Wed, Oct 14, 2009 at 19:04, Paul McMahon <or...@yahoo.com> wrote:
> Here's an explanation of why you can't do a basic auth logout:
>
> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>
> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
As I noted, you can with some tricks, using XHR (ajax). Although my
first answer was a bit wrong. Here is how you do it. For IE, you can
manually clear the cache with a javascript function, although that
removes all credentials currently cached IIRC. For Firefox, you simply
force a login in sling with the anonymous user:
if (document.all) {
// Internet Explorer: 'ClearAuthenticationCache' is only available in IE
document.execCommand('ClearAuthenticationCache');
} else {
var xmlhttp;
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
} else if (window.ActiveXObject) {
try {
xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
} catch (ex) {
try {
xmlhttp = new ActiveXObject('Microsoft.XMLHTTP');
} catch (ex) {}
}
}
if (xmlhttp.readyState < 4) {
xmlhttp.abort();
}
// Firefox/Mozilla: use anonymous "login" to trigger a "logout"
xmlhttp.open('GET', '/?sling:authRequestLogin=1', false,
'anonymous', 'null');
xmlhttp.send('');
}
For Safari, Chrome and Opera you have to use the Authorization cookie,
as noted before.
Regards,
Alex
--
Alexander Klimetschek
alexander.klimetschek@day.com
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
Well I gave it ago but the ServletRequest gets cast to a
SlingHttpServletRequestImpl further in the chain and this class is not
available to my filter when the bundle is deployed.
Scuppered at every turn :S
2009/10/14 Ben Short <be...@benshort.co.uk>:
> Paul,
>
> Yes I have read this document and understand the problem..
>
> So as a work around for me, without having to break the way sling
> operates, is create a filter that sits first in the filter chain. It
> wraps the request and response to catches the basic auth header if set
> further in the filter chain. If it the basic auth header was set then
> it creates a http session and adds the auth header value as a session
> attribute. This results in a sesson cookie being sent to the browser.
>
> Next time the browser sends a request the session cookie is sent and
> the session is looked up. we can then get the auth header value
> session attribute and add it into our wrapped request as a header.
>
> So sling thinks its dealing with a request with basic auth and the
> browser is dealing with session based requests.
>
> Its just an idea at the moment as I can't get the filter to load as yet :(
>
> I'd really like to use sling for my project but not being able to log
> out a user in a standard way across all browsers is a bit of a
> blocker. I can just imagine trying to explain to people that they need
> to close the browser to log out. its not going to go down well. and
> with google chrome and its multiple tabs it seems you have to close
> all of them as just closing the tab dosnt clear the basic auth.
>
> Regards
>
> Ben
>
> 2009/10/14 Paul McMahon <or...@yahoo.com>:
>> Here's an explanation of why you can't do a basic auth logout:
>>
>> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>>
>> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>>
>> I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.
>>
>> Paul McMahon
>>
>> --- On Tue, 10/13/09, Ben Short <be...@benshort.co.uk> wrote:
>>
>> From: Ben Short <be...@benshort.co.uk>
>> Subject: Logout
>> To: users@sling.apache.org
>> Date: Tuesday, October 13, 2009, 2:20 PM
>>
>> Hi,
>>
>> I need to add a link that allows users to logout of my website. After
>> trawling the web I haven't found a way to logout a user while using
>> http basic authentication.
>>
>> This seems like a bit of a killer for me. Can anyone suggest how I
>> might proceed?
>>
>> Regards
>>
>> Ben Short
>>
>>
>>
>>
>
Re: Logout
Posted by Ben Short <be...@benshort.co.uk>.
Paul,
Yes I have read this document and understand the problem..
So as a work around for me, without having to break the way sling
operates, is create a filter that sits first in the filter chain. It
wraps the request and response to catches the basic auth header if set
further in the filter chain. If it the basic auth header was set then
it creates a http session and adds the auth header value as a session
attribute. This results in a sesson cookie being sent to the browser.
Next time the browser sends a request the session cookie is sent and
the session is looked up. we can then get the auth header value
session attribute and add it into our wrapped request as a header.
So sling thinks its dealing with a request with basic auth and the
browser is dealing with session based requests.
Its just an idea at the moment as I can't get the filter to load as yet :(
I'd really like to use sling for my project but not being able to log
out a user in a standard way across all browsers is a bit of a
blocker. I can just imagine trying to explain to people that they need
to close the browser to log out. its not going to go down well. and
with google chrome and its multiple tabs it seems you have to close
all of them as just closing the tab dosnt clear the basic auth.
Regards
Ben
2009/10/14 Paul McMahon <or...@yahoo.com>:
> Here's an explanation of why you can't do a basic auth logout:
>
> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>
> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>
> I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.
>
> Paul McMahon
>
> --- On Tue, 10/13/09, Ben Short <be...@benshort.co.uk> wrote:
>
> From: Ben Short <be...@benshort.co.uk>
> Subject: Logout
> To: users@sling.apache.org
> Date: Tuesday, October 13, 2009, 2:20 PM
>
> Hi,
>
> I need to add a link that allows users to logout of my website. After
> trawling the web I haven't found a way to logout a user while using
> http basic authentication.
>
> This seems like a bit of a killer for me. Can anyone suggest how I
> might proceed?
>
> Regards
>
> Ben Short
>
>
>
>
Re: Logout
Posted by Paul McMahon <or...@yahoo.com>.
Here's an explanation of why you can't do a basic auth logout:
http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.
Paul McMahon
--- On Tue, 10/13/09, Ben Short <be...@benshort.co.uk> wrote:
From: Ben Short <be...@benshort.co.uk>
Subject: Logout
To: users@sling.apache.org
Date: Tuesday, October 13, 2009, 2:20 PM
Hi,
I need to add a link that allows users to logout of my website. After
trawling the web I haven't found a way to logout a user while using
http basic authentication.
This seems like a bit of a killer for me. Can anyone suggest how I
might proceed?
Regards
Ben Short