开发者

Servlet 3.0 logout doesn't work

问答 作者:

I've got a problem with the authentication features of Servlet 3.0:

With this code in a Servlet v3: 

log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
log.info("===^===");
request.logout() ;
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
request.authenticate(response) ;
log.info("===v===");
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());

I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cac开发者_如何学JAVAhe' mechanism which repopulate the credential and cancel my logout ...

Admin

BASIC

===^===

null

null

===v===

Admin

BASIC

Is it a problem with my firefox, or something I'm missing in the Servlet code?

I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...

That's the way HTTP BASIC AUTH was designed, it allows all authenticate state to be kept in the client. In other words, its impossible to logout with basic/digest authentication, the server cannot stop a client from caching and resending a BASIC auth authenticator on subsequent requests to the server.

My suggestion is to use form based authentication and the login method of HTTPServletRequest.

References

  • New Security Features in Glassfish v3 (Java EE 6) - Part II
  • New Security Features in Glassfish v3 (Java EE 6) - Part III
  • Easiest and most portable way to authenticate programatically
  • How to log users out from Glassfish server - need help from SUN

It's neither. Once logged in, the browser will always pass your user id and password to the url. Until you restart your browser. As far as I know each browser does that. And as far as I know there's currently no way to tell the browser to forget about the credentials.

However, you'll see your session will be different once you logged out. The usual solution is to add a variable of some kind to the session. Say "loggedin". If this variable is missing you know the user has to log in first and you'll redirect to say login.jsp. And once the user passed this jsp you set this variable again.

Using filters you can enforce this system-wide.

继续阅读:jakarta-eejava-ee-6securityservlet-3.0

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9