You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Graham Lounder <lo...@caris.com> on 2002/07/25 16:19:30 UTC
Remote User and Logoff
In my logoff action, I'm invalidating my session. The problem is, the
getRemoteUser still returns the username when I forward to my jsp page.
Once I process another request, the remote user is set to null.
Is there any way in my LogoffAction servlet to set the remote user to null
before forwarding to the jsp page?
Graham
============================================
Graham Lounder
Java Developer
Spatial Components Division
CARIS
264 Rookwood Ave
Fredericton NB E3B-2M2
Office 506 462-4218
Fax 506 459-3849
graham.lounder@caris.com
http://www.spatialcomponents.com
============================================
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Remote User and Logoff
Posted by Mete Kural <me...@yahoo.com>.
After you invalidated the session, did you create a
new session by calling request.getSession(true)?
I do the same think and it works. Here's some code for
you:
public class LogoutAction extends Action {
public ActionForward perform(ActionMapping mapping,
ActionForm form, HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
HttpSession session = request.getSession();
session.invalidate();
request.getSession(true);
return (mapping.findForward("main"));
}
}
Good luck,
Mete
--- Eddie Bush <ek...@swbell.net> wrote:
> I doubt you have that degree of control wrt your
> container. What you
> might consider is a small refactoring that would
> cause you to also check
> for the session, if any, and ... whatever attribute
> you have there that
> signals a "valid, logged-in" user. CMA is seperate
> from your web
> application, and so you don't have as "fine-tuned"
> control over it.
>
> Oh - or you might try doing a redirect. You say
> it's null on the next
> request, so forcing another request may be the
> solution... assuming you
> haven't painted yourself into a corner you can't
> redirect out of.
>
> Regards,
>
> Eddie
>
> Graham Lounder wrote:
>
> >In my logoff action, I'm invalidating my session.
> The problem is, the
> >getRemoteUser still returns the username when I
> forward to my jsp page.
> >Once I process another request, the remote user is
> set to null.
> >
> >Is there any way in my LogoffAction servlet to set
> the remote user to null
> >before forwarding to the jsp page?
> >
> >Graham
> >
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Remote User and Logoff
Posted by Eddie Bush <ek...@swbell.net>.
I doubt you have that degree of control wrt your container. What you
might consider is a small refactoring that would cause you to also check
for the session, if any, and ... whatever attribute you have there that
signals a "valid, logged-in" user. CMA is seperate from your web
application, and so you don't have as "fine-tuned" control over it.
Oh - or you might try doing a redirect. You say it's null on the next
request, so forcing another request may be the solution... assuming you
haven't painted yourself into a corner you can't redirect out of.
Regards,
Eddie
Graham Lounder wrote:
>In my logoff action, I'm invalidating my session. The problem is, the
>getRemoteUser still returns the username when I forward to my jsp page.
>Once I process another request, the remote user is set to null.
>
>Is there any way in my LogoffAction servlet to set the remote user to null
>before forwarding to the jsp page?
>
>Graham
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Remote User and Logoff
Posted by Eddie Bush <ek...@swbell.net>.
Craig R. McClanahan wrote:
>
>On Thu, 25 Jul 2002, Graham Lounder wrote:
>
>>Date: Thu, 25 Jul 2002 11:19:30 -0300
>>From: Graham Lounder <lo...@caris.com>
>>Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
>>To: Struts Users Mailing List <st...@jakarta.apache.org>
>>Subject: Remote User and Logoff
>>
>>In my logoff action, I'm invalidating my session. The problem is, the
>>getRemoteUser still returns the username when I forward to my jsp page.
>>Once I process another request, the remote user is set to null.
>>
>
>Invalidating a session doesn't change the fact that the existing user was
>authenticated for the entire length of the current request.
>
That was my suspicion.
>In Servlet 2.4, a new logout() method is being discussed that would
>formalize logout semantics.
>
That would be very helpful :-) Are they going to add some way to cause
authentication to be invoked manually too? ;-) That would seal CMA as
the solution for FORM-based auth where you want to be able to log a user
in without them first having to access a restricted resource. Of
course, I have ideas for working around this, but nothing I've even
tried to implement yet. Still, I would think you could work around that
somehow using JavaScript.
>>Is there any way in my LogoffAction servlet to set the remote user to null
>>before forwarding to the jsp page?
>>
>
>There is not a way to do that. I would suggest having your page look for
>some session attribute to check for this scenario, because you will have
>invalidated the old session and created a new one, and the attribute won't
>be there.
>
... as I eluded to. You explained it better though.
>>Graham
>>
>
>Craig
>
Are you aware, Craig, of any movement to add some higher degree of
flexibility wrt CMA + FORM-based logins? ... for spec 2.5 maybe? ;-)
It astounds me this hasn't been addressed in a specification yet -
though, having read other posts you've made on this topic, I do
understand it takes time and that there is likely no "perfect" solution.
It would seem to me that merely allowing some parameter to be passed to
j_security_check (a path, for instance) would pretty much cure things.
Of course, I can't pretend to have any idea of what the security
implications of allowing such a thing would be.
Thanks for your efforts, by the way, Craig :-)
Regards,
Eddie
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Remote User and Logoff
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 25 Jul 2002, Graham Lounder wrote:
> Date: Thu, 25 Jul 2002 11:19:30 -0300
> From: Graham Lounder <lo...@caris.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: Struts Users Mailing List <st...@jakarta.apache.org>
> Subject: Remote User and Logoff
>
> In my logoff action, I'm invalidating my session. The problem is, the
> getRemoteUser still returns the username when I forward to my jsp page.
> Once I process another request, the remote user is set to null.
>
Invalidating a session doesn't change the fact that the existing user was
authenticated for the entire length of the current request.
In Servlet 2.4, a new logout() method is being discussed that would
formalize logout semantics.
> Is there any way in my LogoffAction servlet to set the remote user to null
> before forwarding to the jsp page?
>
There is not a way to do that. I would suggest having your page look for
some session attribute to check for this scenario, because you will have
invalidated the old session and created a new one, and the attribute won't
be there.
> Graham
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>