You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chema <de...@gmail.com> on 2011/09/07 13:20:54 UTC
Realm & SSL : issue when logout
Hello:
I've got a web application running on Tomcat 7.0.16
It uses realm authentication to validate users ( FORM login method
with a custom login page named login.html)
and it's secured by SSL with
<security-constraint>
<web-resource-collection>
<web-resource-name>ssl</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So, if I write https://localhost:8080/protected.html, Tomcat redirect
to my login.html page to authenticate the user,
and , if it's valid, returns main.html.
All fine
The web application has got a service to implement a logout with 2 steps:
- session.invalidate()
- redirect to protected.html
Well, when I invoked last service, I hoped that when redirecting to
protected.html, as I invalidated session before and protected.html is
a protected resource, Tomcat redirected my browser to login.html.
But didn't : protected.html was returned.
If I repeat this steps without SSL configuration , Tomcat does
(redirects my browser to login.html)
What I need to finish a SSL session and realm mechanism knows it ?
Thanks and regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm & SSL : issue when logout
Posted by Chema <de...@gmail.com>.
> Why getContext("/app") ??
>
> HTTP Sessions are local to each web application.
>
> If "protected.html" belongs to a different web application, it would
> not (and cannot) know that you invalidated session in this webapp.
Hi
You're right: protected.html belongs another web application.
But my Tomcat is configurated with Single Sign On and, about docs,
"as soon as the user logs out of one web application (for example, by
invalidating the corresponding session if form based login is used),
the user's sessions in all web applications will be invalidated."
http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single Sign On
Anyway, this problem also occurs with a single and simple web application.
As I told in another thread, this issue was solved, at least, in Tomcat 7.0.21
( My tests were on 7.0.11 )
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm & SSL : issue when logout
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/9/7 Chema <de...@gmail.com>:
> ServletContext context = this.getServletContext().getContext("/app");
> if (context != null)
> response.sendRedirect(context.getContextPath() + "/protected.html" );
>
> I hoped that login.html was return but protected.html is
>
Why getContext("/app") ??
HTTP Sessions are local to each web application.
If "protected.html" belongs to a different web application, it would
not (and cannot) know that you invalidated session in this webapp.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm & SSL : issue when logout
Posted by Chema <de...@gmail.com>.
Thanks but that didn't work for me
I've got
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:\keystore.jks" keystorePass="tomcat" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS"/>
in my server.xml
And I've created a SessionTrackingModeListener (just like manual) and
modified web.xml with this listener
And now I finish SSL Session with
session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
ServletContext context = this.getServletContext().getContext("/app");
if (context != null)
response.sendRedirect(context.getContextPath() + "/protected.html" );
I hoped that login.html was return but protected.html is
I dont find any doc about realm + SSL what 's wrong ?
Thanks and regards
2011/9/7 Mark Thomas <ma...@apache.org>:
> On 07/09/2011 12:20, Chema wrote:
>> Hello:
>>
>> I've got a web application running on Tomcat 7.0.16
>> It uses realm authentication to validate users ( FORM login method
>> with a custom login page named login.html)
>> and it's secured by SSL with
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>ssl</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> So, if I write https://localhost:8080/protected.html, Tomcat redirect
>> to my login.html page to authenticate the user,
>> and , if it's valid, returns main.html.
>> All fine
>>
>>
>> The web application has got a service to implement a logout with 2 steps:
>>
>> - session.invalidate()
>> - redirect to protected.html
>>
>>
>> Well, when I invoked last service, I hoped that when redirecting to
>> protected.html, as I invalidated session before and protected.html is
>> a protected resource, Tomcat redirected my browser to login.html.
>> But didn't : protected.html was returned.
>>
>> If I repeat this steps without SSL configuration , Tomcat does
>> (redirects my browser to login.html)
>>
>>
>> What I need to finish a SSL session and realm mechanism knows it ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm & SSL : issue when logout
Posted by Mark Thomas <ma...@apache.org>.
On 07/09/2011 12:20, Chema wrote:
> Hello:
>
> I've got a web application running on Tomcat 7.0.16
> It uses realm authentication to validate users ( FORM login method
> with a custom login page named login.html)
> and it's secured by SSL with
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>ssl</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> So, if I write https://localhost:8080/protected.html, Tomcat redirect
> to my login.html page to authenticate the user,
> and , if it's valid, returns main.html.
> All fine
>
>
> The web application has got a service to implement a logout with 2 steps:
>
> - session.invalidate()
> - redirect to protected.html
>
>
> Well, when I invoked last service, I hoped that when redirecting to
> protected.html, as I invalidated session before and protected.html is
> a protected resource, Tomcat redirected my browser to login.html.
> But didn't : protected.html was returned.
>
> If I repeat this steps without SSL configuration , Tomcat does
> (redirects my browser to login.html)
>
>
> What I need to finish a SSL session and realm mechanism knows it ?
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org