On Sun, 26 Aug 2001, Taavi Tiirik wrote:
> Date: Sun, 26 Aug 2001 15:49:19 +0200
> From: Taavi Tiirik <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: how to check if user is authenticated
>
>
> I am doing form based login using JDBCRealm and for logging out
> I call request.getSession().invalidate().
>
By the way, this works only if you are using form-based login -- for BASIC
login you have to ask your user to log out.
> The problem is that after invalidation (duering the very same
> request) I can still use request.getRemoteUser() and it returns
> user name just like before calling session.invalidate().
>
That is because the authentication decision for *this* request was made at
the beginning of the request, and lasts for the entire length of that
request -- no matter what else happens.
> What would be the proper way of asking if the user is logged
> in or not? I cannot set any session attributes duering login
> process since I am using tomcat's built in JDBCRealm
> authentication.
The simplest thing would be to use an HttpSessionListener (a new listener
API added in servlet 2.3). Such listeners are notified when a new session
is created (even if it's done by Tomcat) and destroyed.
>
> Oh and I am using latest nightly build of Tomcat 4.0.
>
> Thank you so much for your time
>
> with best wishes,
> Taavi
>
>
>
>
Craig McClanahan
