You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chema <de...@gmail.com> on 2011/09/16 13:37:13 UTC
Example to logout on Tomcat 7 and SSL + Realm
Hello:
Ive got a web application running on Tomcat 7, with SSL (https) and
realm for authentication/authorization
When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in
So, that user can get protected pages. Tomcat should return him a
login window but doesn't
If Tomcat doesn't use SSL , works fine, so I guess I'm not ending
sessions properly with SSL activated
Any example about how do it ?
Anyone did it ?
Thanks and regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Chema <de...@gmail.com>.
Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<!-- Authentication -->
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.server.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/login.do</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LogoutServlet</servlet-name>
<servlet-class>com.server.servlet.LogoutServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LogoutServlet</servlet-name>
<url-pattern>/logout.do</url-pattern>
</servlet-mapping>
<!-- Default page to serve -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>ssl</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>realm</realm-name>
<form-login-config>
<form-login-page>/login.do</form-login-page>
<form-error-page>/error.do</form-error-page>
</form-login-config>
</login-config>
</web-app>
***************
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="8443"/>
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:\keystore.jks" keystorePass="tomcat" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Realm className="com.realm.CustomRealm" dataSourceName="ds_admin"
digest="SHA" roleNameCol="role" userCredCol="password"
userNameCol="email" userRoleTable="group_role_user" userTable="user"/>
<Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
<Context crossContext="true" path="/login" reloadable="true"/>
<Context crossContext="true" path="/admin" reloadable="true" /></Host>
</Engine>
2011/9/16 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chema,
>
> On 9/16/2011 1:25 PM, Chema wrote:
>>>
>>> Presumably, you are using CLIENT-CERT as your <auth-method>?
>>
>> No, [I am using] FORM method
>
> Hmm. HttpSession.invalidate() *is* the proper way to terminate a
> "FORM" authentication login.
>
>> session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager
>> mgr
>> =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
>>
>>
> mgr.invalidateSession();
>
> You don't need this SSL stuff. HttpSession.invalidate() ought to do
> the trick.
>
>> response.setHeader("Connection", "close");
>
> This is optional, and not usually necessary.
>
>> but didnt work. does anyone have worked with realm + SSL ? anyone
>> ?
>
> This definitely works.
>
> Are you saying that when you use HTTP instead of HTTPS, logouts work?
> That sounds really strange.
>
> Please post the relevant sections of web.xml and server.xml, and be
> sure to remove any sensitive information.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5ziX4ACgkQ9CaO5/Lv0PCitQCgwgv0Khtvabe0xJK0A5SYe0u0
> BlAAnRno9V/PAwyRKIs1s4cC/2oFz0GK
> =pshV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 9/16/2011 1:25 PM, Chema wrote:
>>
>> Presumably, you are using CLIENT-CERT as your <auth-method>?
>
> No, [I am using] FORM method
Hmm. HttpSession.invalidate() *is* the proper way to terminate a
"FORM" authentication login.
> session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager
> mgr
> =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
>
>
mgr.invalidateSession();
You don't need this SSL stuff. HttpSession.invalidate() ought to do
the trick.
> response.setHeader("Connection", "close");
This is optional, and not usually necessary.
> but didnt work. does anyone have worked with realm + SSL ? anyone
> ?
This definitely works.
Are you saying that when you use HTTP instead of HTTPS, logouts work?
That sounds really strange.
Please post the relevant sections of web.xml and server.xml, and be
sure to remove any sensitive information.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5ziX4ACgkQ9CaO5/Lv0PCitQCgwgv0Khtvabe0xJK0A5SYe0u0
BlAAnRno9V/PAwyRKIs1s4cC/2oFz0GK
=pshV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Chema <de...@gmail.com>.
>
> Presumably, you are using CLIENT-CERT as your <auth-method>?
Not , FORM method
>
>> When I invalidate() a session ( session.invalidate() ) , Tomcat
>> doesn't know it and thinks that user is still logged in So, that
>> user can get protected pages. Tomcat should return him a login
>> window but doesn't.
> SSL session != HttpSession
>
> You need to terminate the SSL session. See a separate thread
> "SSLSession invalidate" for a discussion about how this is (not) working.
Well, I don't know what I have to terminate
I only want to know what do to inform Tomcat that an user logs out (
user clicks a Logout button )
I tried to invalidate SSL session with this code
session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
but didnt work.
does anyone have worked with realm + SSL ? anyone ?
Thanks and regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Example to logout on Tomcat 7 and SSL + Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/20/2011 2:01 PM, Christopher Schultz wrote:
> I had to use mod_asis and stick this file ("logout") on my disk:
>
> Status: 401 Unauthorized WWW-Authenticate: Basic realm="My Realm"
Here is my config if anyone is interested:
<Location "/logout">
SetHandler send-as-is
ErrorDocument 401 /logout.html
</Location>
<Location "/logout.html">
Order allow,deny
Allow from all
Satisfy Any
</Location>
The logout.html file contains a link back to a "regular" page that
will request credentials and then NOT log you out.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5412QACgkQ9CaO5/Lv0PBk9wCfftuSM8gA33DfNNX97yLNeVgy
D4AAoIf2Pu5hf0oTa5605lLTF+OJEUcI
=Qb90
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/17/2011 9:31 AM, André Warnier wrote:
> Christopher Schultz wrote: ...
>
> Thanks for all these explanations. And as an aside :
>
>> The only way to terminate a BASIC login is to issue another 401
>> response,
>
> I did not even know that this worked. Does it really ?
It depends on how the browser reacts. It used to be (but may no longer
be) that any 401 response from the server resulted in a flush of the
credentials sent to the server, which basically re-triggered the
pop-up window asking for your credentials again. Perhaps they cache
the credentials and re-use them if the /new/ ones (after a
401-response/next-request cycle) fail. I would be surprised if it did
that, though.
> Until now, I thought that the only way to get rid of a BASIC
> authentication was to close the browser.
That's the only reliable way to do it.
I did just check on my server to see how things worked-out. I probably
should have done it in Java to make things easier on myself, but I
decided that Apache httpd just /had/ to have what I was looking for to
pull this off in my config file. Alas, I was unable to find a
config-file-only solution so I had to use mod_asis and stick this file
("logout") on my disk:
Status: 401 Unauthorized
WWW-Authenticate: Basic realm="My Realm"
Get lost
- --- cut ---
Making a request to /logout results in my credentials being discarded
and new ones requested. Unfortunately, as soon as I authenticate, I
get my "logout" page back again and get the 401 response. My only
option is to cancel the login, then go to another URL that won't log
me out right away. So, the technique works, but it's a little fragile. :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk541RAACgkQ9CaO5/Lv0PDVQgCgvFXJMVMba9y2i2iSSp6rEnA9
SSUAoLXlghGEK/jEBTRKlqdbDFyHCrBR
=EyP/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
...
Thanks for all these explanations.
And as an aside :
> The only way to
> terminate a BASIC login is to issue another 401 response,
I did not even know that this worked. Does it really ?
Until now, I thought that the only way to get rid of a BASIC authentication was to close
the browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/16/2011 1:38 PM, André Warnier wrote:
> I guess that where the OP (and I) get a little confused is in the
> distinction between the state of "having a session" and "being
> logged-in", and maybe the sequence in which these things happen.
>
> 1) a browser sends a first request to Tomcat, and this happens to
> be directed to an application which requires authentication
> (container-driven).
>
> 2) Tomcat intercepts the request (because of the authentication
> requirement), sends back something to the browser which tells the
> browser (or the user) to supply credentials.
>
> 3) the browser (or the user) supplies the credentials along with a
> subsequent request
>
> 4) Tomcat intercepts this again, verifies the credentials, and if
> they "fit", allows the request (now "authenticated") to proceed to
> the application which had been requested in the first place.
>
> (and I know that there is some variety in the above, depending on
> the type of authentication, but roughly that's it, no ?)
This is all correct for BASIC, FORM, and CLIENT-CERT authentication
strategies. The difference is how the server requests the credentials
and how the client provides them.
For instance, BASIC uses a 401 server response to request credentials
and the client provides them in an WWW-Authenticate header with a
subsequent response. FORM responds with a login form and the client
sends credentials using POST or query data (aka parameters). For
CLIENT-CERT, the server requests the certificate as part of the SSL
negotiation, and the certificate is sent as part of the SSL negotiation.
> 5) then the request hits the application, and it is the
> application which "decides" if a session is created or not. Yes ?
Here's where things change. For FORM authentication, an HttpSession is
created and corresponds directly to the user's privileged status. Once
the HttpSession is invalidated, the login expires and the user is
logged-out.
> And if it decides so, this creates some storage place for this
> "session thing", and makes it so that a cookie will later be sent
> back to the browser, with an id pointing to this session storage
> thing, so that a subsequent request which provides this cookie,
> allows the application to retrieve the saved session and its
> contents prior to handling the next request.
The JSESSIONID is used to associated HttpSessions with requests. You
can have an HttpSession without having authenticated, but for a FORM
authentication, you must have an HttpSession after (and, in Tomcat,
/before/) you are successfully authenticated (Servlet spec 3.0 allows
you to perform a programmatic login, but I'll ignore that for the
purposes of this discussion).
> Now what is maybe less clear, is whether the "session thing" which
> was created, contains or not the authentication data.
For FORM authentication, it does.
> And if yes : a "session invalidate" should delete the "session
> thing" (and the contained authentication info), and this should
> have the effect that when the browser sends a subsequent request,
> it will find a "no session yet" situation.
There will be no existing session to fetch in any case. For FORM
authentication, that also means that you will have to re-authenticate
in order to get to a privileged resource again.
> Obviously though, "no session" does not necessarily mean "not
> authenticated", but this is I believe where the OP (and I) are
> getting confused.
For FORM authentication, no session -> not authenticated.
Technically speaking, the servlet spec defines "being logged into an
application" as "[corresponding] precisely to there being a valid
non-null caller identity associated with the request as may be
determined by calling getRemoteUser or getUserPrincipal on the
request" (section 13.10). Tomcat implements FORM login by attaching
principal information to the session, so when the session dies, so
does the login.
This is not the case with the other authentication mechanisms (BASIC
and CLIENT-CERT): the existence of an HttpSession for a request is
independent of the "login". This is because the client sends a
WWW-Authenticate header (for BASIC) or a client certificate (for
CLIENT-CERT) for every request after authentication. The only way to
terminate a BASIC login is to issue another 401 response, and the only
way to terminate a CLIENT-CERT login is to disrupt the SSL session (I
don't know how to do that).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zkEEACgkQ9CaO5/Lv0PBNdACfS39J4iloiOxkFu9Ru9ncQDUS
OZIAnRLnQndKHCBeXG7dBCUG56lG/kKH
=IzSM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by André Warnier <aw...@ice-sa.com>.
Chris,
Christopher Schultz wrote:
...
>
> Why do you think that HttpSession.invalidate() should act as a log out
> mechanism when using CLIENT-CERT authentication?
>
I guess that where the OP (and I) get a little confused is in the distinction between the
state of "having a session" and "being logged-in", and maybe the sequence in which these
things happen.
But we are willing to be educated (or at least I am) (and the other thread you mention is
not really very explcit in that respect).
So let's say
1) a browser sends a first request to Tomcat, and this happens to be directed to an
application which requires authentication (container-driven).
2) Tomcat intercepts the request (because of the authentication requirement), sends back
something to the browser which tells the browser (or the user) to supply credentials.
3) the browser (or the user) supplies the credentials along with a subsequent request
4) Tomcat intercepts this again, verifies the credentials, and if they "fit", allows the
request (now "authenticated") to proceed to the application which had been requested in
the first place.
(and I know that there is some variety in the above, depending on the type of
authentication, but roughly that's it, no ?)
5) then the request hits the application, and it is the application which "decides" if a
session is created or not. Yes ?
And if it decides so, this creates some storage place for this "session thing", and makes
it so that a cookie will later be sent back to the browser, with an id pointing to this
session storage thing, so that a subsequent request which provides this cookie, allows the
application to retrieve the saved session and its contents prior to handling the next request.
Now what is maybe less clear, is whether the "session thing" which was created, contains
or not the authentication data.
And if yes : a "session invalidate" should delete the "session thing" (and the contained
authentication info), and this should have the effect that when the browser sends a
subsequent request, it will find a "no session yet" situation.
Obviously though, "no session" does not necessarily mean "not authenticated", but this is
I believe where the OP (and I) are getting confused.
Can you enlighten us ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 9/16/2011 7:37 AM, Chema wrote:
> Ive got a web application running on Tomcat 7, with SSL (https)
> and realm for authentication/authorization
Presumably, you are using CLIENT-CERT as your <auth-method>?
> When I invalidate() a session ( session.invalidate() ) , Tomcat
> doesn't know it and thinks that user is still logged in So, that
> user can get protected pages. Tomcat should return him a login
> window but doesn't.
Why do you think that HttpSession.invalidate() should act as a log out
mechanism when using CLIENT-CERT authentication?
> If Tomcat doesn't use SSL , works fine, so I guess I'm not ending
> sessions properly with SSL activated.
SSL session != HttpSession
You need to terminate the SSL session. See a separate thread
"SSLSession invalidate" for a discussion about how this is (not) working.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zg3IACgkQ9CaO5/Lv0PDZbQCff4qRtUf6fbOeJwDByeiDYyC7
GqsAnRY74JnQqgvzoyI/0MPJZOCFzOcu
=+ytG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org