Re: Logout

[Ben Short]

I'm wondering about the following as a not so elegant solution to the
logout 'issue'

Create a filter that will be the first filter in the filter chain if
would do something like as follows..

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
                HttpSession httpSession = 
((HttpServletRequest)request).getSession(false);

                String basicAuth = null;

                if ( httpSession != null ) {
                        basicAuth = 
(String)httpSession.getAttribute("basicAuth");
                }

                if ( basicAuth != null ) {
                        // wrap the request so that when the basic auth header 
is requested
the basicAuth is returned.
                        // wrap the response so that is te basic auth header is 
set its not
set on the encapsulated
                        // responce but we can get it in this filter.
                        chain.doFilter(wrapRequest(request, basicAuth), 
wrapResponce(response));
                
                        basicAuth = 
((OurHttpServletResponse)response).getHeader("authorization ");

                        if ( basicAuth != null ) {
                                httpSession = 
((HttpServletRequest)request).getSession(true);
                                httpSession.setAttribute("basicAuth", 
basicAuth);                       
                        }
                } else {
                        chain.doFilter(request, response);              
                }
        }

This would ensure that a http session stuck around and could be
invalidated and therefore logging out the user.

Any thoughts?

Regards

Ben


2009/10/14 Ben Short <b...@benshort.co.uk>:
> I just googled, should of done before asking my last question, and see
> that the value in the basic auth header is the the user name and
> password Base64 encoded.
>
> 2009/10/14 Ben Short <b...@benshort.co.uk>:
>> What is the value in the basic auth header and how does it relate to
>> the user? and where are the user details stored?
>>
>>
>> 2009/10/13 Alexander Klimetschek <aklim...@day.com>:
>>> On Tue, Oct 13, 2009 at 22:20, Ben Short <b...@benshort.co.uk> wrote:
>>>> I need to add a link that allows users to logout of my website. After
>>>> trawling the web I haven't found a way to logout a user while using
>>>> http basic authentication.
>>>>
>>>> This seems like a bit of a killer for me. Can anyone suggest how I
>>>> might proceed?
>>>
>>> You can send an XHR request with invalid credentials (using
>>> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
>>> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>>>
>>> Regards,
>>> Alex
>>>
>>> --
>>> Alexander Klimetschek
>>> alexander.klimetsc...@day.com
>>>
>>
>