Re: Example to logout on Tomcat 7 and SSL + Realm [SOLVED]

Thanks Christopher. Great explanation. Finally, my problem was solved by upgrading up to Tomcat 7.0.21 On 7.0.16, my application doesn't work fine with SSL realm ( see previous emails ) Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine. Regards 2011/9/16

Re: Example to logout on Tomcat 7 and SSL + Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/17/2011 9:31 AM, André Warnier wrote: Christopher Schultz wrote: ... Thanks for all these explanations. And as an aside : The only way to terminate a BASIC login is to issue another 401 response, I did not even know that this

Re: [OT] Example to logout on Tomcat 7 and SSL + Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/20/2011 2:01 PM, Christopher Schultz wrote: I had to use mod_asis and stick this file (logout) on my disk: Status: 401 Unauthorized WWW-Authenticate: Basic realm=My Realm Here is my config if anyone is interested: Location

Re: Example to logout on Tomcat 7 and SSL + Realm

Christopher Schultz wrote: ... Thanks for all these explanations. And as an aside : The only way to terminate a BASIC login is to issue another 401 response, I did not even know that this worked. Does it really ? Until now, I thought that the only way to get rid of a BASIC authentication

Example to logout on Tomcat 7 and SSL + Realm

Hello: Ive got a web application running on Tomcat 7, with SSL (https) and realm for authentication/authorization When I invalidate() a session ( session.invalidate() ) , Tomcat doesn't know it and thinks that user is still logged in So, that user can get protected pages. Tomcat should return

Re: Example to logout on Tomcat 7 and SSL + Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 9/16/2011 7:37 AM, Chema wrote: Ive got a web application running on Tomcat 7, with SSL (https) and realm for authentication/authorization Presumably, you are using CLIENT-CERT as your auth-method? When I invalidate() a session (

Re: Example to logout on Tomcat 7 and SSL + Realm

Presumably, you are using CLIENT-CERT as your auth-method? Not , FORM method When I invalidate() a session ( session.invalidate() ) , Tomcat doesn't know it and thinks that user is still logged in So, that user can get protected pages. Tomcat should return him a login window but doesn't.

Re: Example to logout on Tomcat 7 and SSL + Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 9/16/2011 1:25 PM, Chema wrote: Presumably, you are using CLIENT-CERT as your auth-method? No, [I am using] FORM method Hmm. HttpSession.invalidate() *is* the proper way to terminate a FORM authentication login.

Re: Example to logout on Tomcat 7 and SSL + Realm

Chris, Christopher Schultz wrote: ... Why do you think that HttpSession.invalidate() should act as a log out mechanism when using CLIENT-CERT authentication? I guess that where the OP (and I) get a little confused is in the distinction between the state of having a session and being

Re: Example to logout on Tomcat 7 and SSL + Realm

Here goes web.xml and servlet.xml I will note that server.xml contains SingleSignOn because I've got two applications which share logging ?xml version=1.0 encoding=UTF-8? web-app !-- Authentication -- servlet servlet-nameLoginServlet/servlet-name

Re: Example to logout on Tomcat 7 and SSL + Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/16/2011 1:38 PM, André Warnier wrote: I guess that where the OP (and I) get a little confused is in the distinction between the state of having a session and being logged-in, and maybe the sequence in which these things happen. 1)