You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael's new Comcast Account <mi...@Comcast.net> on 2002/06/18 22:29:15 UTC
Please help with JDBCReam logout problem
I am using a JDBCRealm for user authentication with form-based
authentication and Tomcat 4.0.3 (see config info below). I've also
configured an HttpSessionListener that prints a message when a session is
created or destroyed. A page called home.jsp is used as the default page.
When I access the URL of the app, I see a session created and I get the
login form. I log in as, for example, user1. I then see the home.jsp page. I
then log out by calling a Struts Action where I call session.invalidate().
Source shown below. I can see the session being destroyed.
Now, if I log in as another user, say user2, I sometimes get in as user2 and
sometimes get in as user1. I can tell the difference because the two users
have different roles that govern what is printed on the home page.
This is a real security problem because a user with fewer privileges (roles)
can log on right after a user with more privileges and sometimes get logged
in as the user with more privileges.
Help would be greatly appreciated.
Michael
--- In server.xml ----------------------------------------------------
<!-- DCE Context -->
<Context path="/dce" docBase="dce"
debug="0" reloadable="true">
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="5"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/web_users?user=root"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_role" roleNameCol="role_name" />
</Context>
---------------------------------------------------------------------
--- In web.xml ---
<listener>
<listener-class>com.arinc.dce.ProjectionLoader</listener-class>
</listener>
<welcome-file-list>
<welcome-file>/home.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>dce</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>dce.user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>dce</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
---------------------------------------------------------------------
--- In LogoutAction.java ---
// LogoutAction.java
package com.arinc.dce.actions;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.SQLException;
import java.io.IOException;
public class LogoutAction extends Action {
public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
System.out.println("inside LogoutAction");
// Just invalidate the session and return the user to the home page
request.getSession().invalidate();
ActionForward f = mapping.findForward("thanks");
System.out.println("got ActionForward " + f);
return f;
}
}
---------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>