Logout using FORM based authentication

[Markus Kirsten]

Hi,
I use a JDBC Realm with FORM based authentication but haven't figured 
out a way for users to log out. Is it just to call session.invalidate() 
or is there any better way to do it?


Markus


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Logout using FORM based authentication

[Eric Everman]

Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was no 
longer logged in.  The 2.3 servlet spec states that a client is logged out 
when their session is invalidated.  So if Tomcat works as advertised, 
session.invalidate() should do what you expect.

Eric Everman

At 12:49 PM 6/7/2002, you wrote:
Hi,
I use a JDBC Realm with FORM based authentication but haven't figured out 
a way for users to log out. Is it just to call session.invalidate() or is 
there any better way to do it?


Markus


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Logout using FORM based authentication

[Markus Kirsten]

Hi Eric,
Thank you for verifying that. I've actually made my own authentication 
before but when I read about container-managed authentication I realised 
that that was exactly what I was looking for.

Is there any reason for keeping the users login as a session attribute 
or is it better to use request.getRemoteUser() ? What's the praxis?


Markus


On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote:

 Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was 
 no longer logged in.  The 2.3 servlet spec states that a client is 
 logged out when their session is invalidated.  So if Tomcat works as 
 advertised, session.invalidate() should do what you expect.

 Eric Everman

 At 12:49 PM 6/7/2002, you wrote:
 Hi,
 I use a JDBC Realm with FORM based authentication but haven't figured 
 out a way for users to log out. Is it just to call 
 session.invalidate() or is there any better way to do it?


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Logout using FORM based authentication

[Eric Everman]

There are definitely some issues involved here.

If you are working on a company site that will restrict access of the site 
to a list of people that is managed separately (ie the HR department or IT 
department adds a person as a user who is allowed to access the site), 
container managed security is for you.

If you are working on a site that you want to allow visitors to create 
profiles / logins on the fly, stick with your existing session key system.

The 'key' reason is this:  The servlet API provides no access to login 
mechanism - you cannot programmatically log a user in.  So if you direct a 
user to a 'create new login' page, you have no way to cause the user to be 
logged in after they have finished creating the login.  You can have your 
user's create a profile on one page, save the results to your security db, 
then have the user login on another page that posts to j_security_check, 
but there is no way to do it in one step - very confusing for casual visitors.

One nice feature of the 2.3 spec is filters, which to some degree will 
allow you to extend you session key security to behave *similarly* to the 
declarative security of the CMA.  By that I mean that by using a filter, 
you can configure the security in the web.xml file, rather then having to 
add tags or other logic to pages in order to protect them.


Best of luck,

Eric Everman


At 03:12 PM 6/7/2002, you wrote:
Hi Eric,
Thank you for verifying that. I've actually made my own authentication 
before but when I read about container-managed authentication I realised 
that that was exactly what I was looking for.

Is there any reason for keeping the users login as a session attribute or 
is it better to use request.getRemoteUser() ? What's the praxis?


Markus


On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote:

Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was 
no longer logged in.  The 2.3 servlet spec states that a client is logged 
out when their session is invalidated.  So if Tomcat works as advertised, 
session.invalidate() should do what you expect.

Eric Everman

At 12:49 PM 6/7/2002, you wrote:
Hi,
I use a JDBC Realm with FORM based authentication but haven't figured 
out a way for users to log out. Is it just to call session.invalidate() 
or is there any better way to do it?


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]