You have to call the invalidate method on the session. You can also use setMaxInactiveInterval(int seconds) to kill the session after an inactive period. I think the default in Tomcat is 30 minutes.
Rick ----- Original Message ----- From: "Padhu Vinirs" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Wednesday, October 02, 2002 2:19 PM Subject: Re: authorization using tomcat... > > Now I am able to access the secure page through the login page. But even > if I close the browser ( whcih i assume will close the session ), and > restart it, I am able to access the secure page without going through > the login page. Is there a place where I need to say that the login info > should not be a permanent cookie but only session scope ??? > > Thanks > > -- padhu > > > > > Rick Fincher wrote: > > >Hi Padu, > > > >It looks like you have this set up OK. Do you have a memory realm set up in > >conf/web.xml as is required for this setup? > > > >Also, since your transport guarantee is set up as confidential it is going > >to use SSL so you either have to use an HTTPS:// url or you have to have > >redirection turned on in port 80 (or whatever your HTTP port is) in > >conf/web.xml. > > > >If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is the HTTPS > >port) in the url too. > > > >Rick > > > >----- Original Message ----- > >From: "Padhu Vinirs" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Wednesday, October 02, 2002 10:19 AM > >Subject: authorization using tomcat... > > > > > > > > > >>I am testing web resource form-based authentication. I have created a > >>dummy jsp page "Details.jsp" and have created the following nodes in > >>web.xml: > >> > >><security-constraint> > >> <web-resource-collection> > >> <web-resource-name>SecurePages</web-resource-name> > >> <url-pattern>Details.jsp</url-pattern> > >> </web-resource-collection> > >> <auth-constraint> > >> <role-name>EditUsers</role-name> > >> </auth-constraint> > >> <user-data-constraint> > >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> > >> </user-data-constraint> > >> </security-constraint> > >> <login-config> > >> <auth-method>FORM</auth-method> > >> <form-login-config> > >> <form-login-page>/login.jsp</form-login-page> > >> <form-error-page>/error.jsp</form-error-page> > >> </form-login-config> > >> </login-config> > >> <security-role> > >> <description>Users who can edit</description> > >> <role-name>EditUsers</role-name> > >> </security-role> > >> > >> > >>I have created a "EditUsers" role in tomcat-users.xml. > >> > >>But when I access "Details.jsp", I am redirected to the Netscape search > >>page !!! I am able to access the login and error.jsp pages fine. > >> > >>Any ideas ? > >> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>