The way container managed security works, is if you click logout, you have to login in and then it's too late to change the target (which is the logout page).
> -----Original Message----- > From: Cliff Rowley [mailto:[EMAIL PROTECTED]] > Sent: lundi 23 septembre 2002 13:08 > To: 'Struts Users Mailing List' > Subject: RE: How can I make my logout page not secure? > > > Then surely it'd work properly? If the user is logged in, > the logout wont be protected and it can log them out along > the way .. If they're not logged in, they'll get thrown a > login screen .. Right? > > >-----Original Message----- > >From: Andrew Hill [mailto:[EMAIL PROTECTED]] > >Sent: 23 September 2002 12:01 > >To: Struts Users Mailing List > >Subject: RE: How can I make my logout page not secure? > > > > > >Perhaps his login & logout are the same action both forwarding > >to the login screen, and if already logged in, logging out > >along the way? > > > >-----Original Message----- > >From: Cliff Rowley [mailto:[EMAIL PROTECTED]] > >Sent: Monday, September 23, 2002 18:54 > >To: 'Struts Users Mailing List' > >Subject: RE: How can I make my logout page not secure? > > > > > >Out of pure interest, why do you want logout unprotected? > >People who are logged out wont need to log out, will they? > > > >>-----Original Message----- > >>From: Michael [mailto:[EMAIL PROTECTED]] > >>Sent: 23 September 2002 09:40 > >>To: [EMAIL PROTECTED] > >>Subject: How can I make my logout page not secure? > >> > >> > >>I'm using J2EE container managed security (in Tomcat). I set > >up a rule > >>to protect all *.do actions. The problem is my logout.do is > >protected > >>as well! > >> > >>In my web.xml I have: > >> > >> <security-constraint> > >> <web-resource-collection> > >> <web-resource-name>All DO</web-resource-name> > >> <url-pattern>*.do</url-pattern> > >> <http-method>GET</http-method> > >> <http-method>POST</http-method> > >> </web-resource-collection> > >> <auth-constraint> > >> <role-name>*</role-name> > >> </auth-constraint> > >> </security-constraint> > >> > >>And then I use struts to set the security roles for each action. > >>Although my logout action doesn't have any security roles, > the above > >>config in the web.xml requires a user to be authenticated before > >>executing an action. > >> > >>What can I do to unprotect my logout action? > >> > >> > >> > >>-- > >>To unsubscribe, e-mail: > >><mailto:struts-user->[EMAIL PROTECTED]> > >>For > >>additional commands, > >>e-mail: <mailto:[EMAIL PROTECTED]> > >> > >> > > > > > >-- > >To unsubscribe, e-mail: > ><mailto:struts-user->[EMAIL PROTECTED]> > >For > >additional commands, > >e-mail: <mailto:[EMAIL PROTECTED]> > > > > > >-- > >To unsubscribe, e-mail: > ><mailto:struts-user->[EMAIL PROTECTED]> > >For > >additional commands, > >e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:struts-user-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
