Re: formbased authentication: logout ?
uthay wrote: If you want an application controled authentication why dont you develope a session bean that will interact with the login script? How can that be done without developing the whole custom authentication mechanism? Christian Rauh - Original Message - From: "paul marshal" [EMAIL PROTECTED] To: "tomcat-list" [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 3:10 PM Subject: formbased authentication: logout ? How do I create a possibility for my users to logout. Is there something in the HttpSession that I need to delete ? Or how does it all work ? Paul -- Paul Marshall [EMAIL PROTECTED] 089/26019-609 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: formbased authentication: logout ?
Thats correct. But it was more of a design issue than anything else. For me using session bean helps me to have accessor modifier style controle over my session vars. Extend it little bit further and you get full session control over your application. following code will allow me to control the access to the pages at user or admin level boolean admin=false; if(sessInfo.getUName()==null || sessInfo.getUName()== ""){ % jsp:forward page="loginValidate.jsp" / % }else{ if(sessInfo.getAuthority().equals("admin")){ admin=true; } } sessInfo.setUName("") will invalidate the user Comments are welcome Note:sessInfo-session bean - Original Message - From: "Christian Rauh" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, February 22, 2001 2:36 PM Subject: Re: formbased authentication: logout ? uthay wrote: If you want an application controled authentication why dont you develope a session bean that will interact with the login script? How can that be done without developing the whole custom authentication mechanism? Christian Rauh - Original Message - From: "paul marshal" [EMAIL PROTECTED] To: "tomcat-list" [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 3:10 PM Subject: formbased authentication: logout ? How do I create a possibility for my users to logout. Is there something in the HttpSession that I need to delete ? Or how does it all work ? Paul -- Paul Marshall [EMAIL PROTECTED] 089/26019-609 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: formbased authentication: logout ?
I'm sure others are more knowledgeable, but from what I've been able to observe (snoop servlet is wonderful), a session must have been created before authentication. I'm basing all of my stuff off of my b*stardization of SimpleRealm, BTW. Session name is JSESSIONID. A principal user is defined and the username and password are stored in the session variable (j_username j_password.) upon successful authentication. A tomcat.auth.originalLocation is defined if they attempted to access a specific secure part before being authenticated. If so, after they authenticate it takes them to that particular page. To logout, I have my users hit a servlet (could be a jsp) that goes through all the cookies and expires them. Since tomcat can only expire the cookies it created, you don't have to worry about killing someone else's cookie. Looking at my code now, I can't remember if expiring the session takes care of removing the cookies or not. At any rate, I think I had trouble getting the session.invalidate() to work in a jsp (since they create sessions automagically) so maybe that's why I went to the jsp. Maybe the invalidate is required to drop the principal user... At any rate, I'm going to re-evaluate my code but this does work. Enjoy. /bill public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { if ( request.isRequestedSessionIdValid() ) { HttpSession session = request.getSession(false); session.invalidate(); } { Cookie BagofGingerSnaps[] = request.getCookies(); for (int i = 0; i BagofGingerSnaps.length ; i++) { BagofGingerSnaps[i].setMaxAge(0); //expire all cookies in 0 seconds response.addCookie(BagofGingerSnaps[i]); //replace old cookies with the new } } response.sendRedirect(stLogoutDestination); }//closes doGet paul marshal [EMAIL PROTECTED] on 02/21/2001 09:10:08 AM Please respond to [EMAIL PROTECTED] To: tomcat-list [EMAIL PROTECTED] cc:(bcc: Bill Fellows/MO/americancentury) Subject: formbased authentication: logout ? How do I create a possibility for my users to logout. Is there something in the HttpSession that I need to delete ? Or how does it all work ? Paul -- Paul Marshall [EMAIL PROTECTED] 089/26019-609 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: formbased authentication: logout ?
If you want an application controled authentication why dont you develope a session bean that will interact with the login script? - Original Message - From: "paul marshal" [EMAIL PROTECTED] To: "tomcat-list" [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 3:10 PM Subject: formbased authentication: logout ? How do I create a possibility for my users to logout. Is there something in the HttpSession that I need to delete ? Or how does it all work ? Paul -- Paul Marshall [EMAIL PROTECTED] 089/26019-609 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: formbased authentication: logout ?
you create a page where you set : %session.invalidate() % then the session is eligable for the garbage collector. --- paul marshal [EMAIL PROTECTED] wrote: How do I create a possibility for my users to logout. Is there something in the HttpSession that I need to delete ? Or how does it all work ? Paul -- Paul Marshall [EMAIL PROTECTED] 089/26019-609 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]