How do I log out of an application that uses Form authentication?
Author: Deron Eriksson
Description: This tutorial describes how to log out of a Tomcat application using Form authentication.
Tutorial created using:
Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20
As we saw in another tutorial, form authentication relies on session storage. As a result, if we invalidate a user's session via a session's invalidate() method, the user will be logged out of our application. To demonstrate this, I built upon an earlier form-authentication project and added logout capabilities. The layout of the project is shown here. In Tomcat's server.xml file, I specify a regular connector for port 8080 and an SSL connector for port 4321. <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="4321" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> <Connector port="4321" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> The web.xmlW file has a TestServlet mapped to /test. If a user hits the servletW, web.xml's security-constraint specifies that the user must be authenticated and that the user must have the 'tomcat' role. The CONFIDENTIAL transport-guarantee redirects the user from a non-secure port to a secure port if a protected resource is requested. A login page (login.html) and a login error page (login-failed.html) are also specified in web.xml. web.xml<?xml version="1.0" encoding="UTF-8"?> <web-app id="tomcat-demo" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <servlet> <servlet-name>TestServlet</servlet-name> <servlet-class>test.TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>TestServlet</servlet-name> <url-pattern>/test</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>TestServlet requires authentication</web-resource-name> <url-pattern>/test</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> <user-data-constraint> <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE --> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login-failed.html</form-error-page> </form-login-config> </login-config> </web-app> The index.html file is just a simple file we can hit. index.htmlWelcome to the tomcat-demo project The login.html file allows a user to log into our application using the form specified in the file. login.html<form method="POST" action="j_security_check"> <table> <tr> <td colspan="2">Login to the Tomcat-Demo application:</td> </tr> <tr> <td>Name:</td> <td><input type="text" name="j_username" /></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="j_password"/ ></td> </tr> <tr> <td colspan="2"><input type="submit" value="Go" /></td> </tr> </table> </form> The login-failed.html file displays a simple error message. login-failed.html<p> Sorry, login failed! </p> The logout.jsp file allows us to log out a user. If this JSPW is hit, a scriptletS displays the user name and then invalidates the session, which logs out the user. logout.jsp<%@ page session="true"%> User '<%=request.getRemoteUser()%>' has been logged out. <% session.invalidate(); %> <br/><br/> <a href="test">Click here to go to test servlet</a> The TestServlet class displays the user name, displays all the headers, and has a link to the logout.jsp file. TestServlet.javapackage test; import java.io.IOException; import java.io.PrintWriter; import java.util.Enumeration; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; public class TestServlet extends HttpServlet { private static final long serialVersionUID = 1L; protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("Welcome '" + request.getRemoteUser() + "'"); out.println("<br/><hr/>"); Enumeration headerNames = request.getHeaderNames(); while (headerNames.hasMoreElements()) { String headerName = (String) headerNames.nextElement(); out.print("Header Name: <em>" + headerName); String headerValue = request.getHeader(headerName); out.print("</em>, Header Value: <em>" + headerValue); out.println("</em><br/>"); } out.println("<br/><hr/>"); out.println("<a href=\"logout.jsp\">Click here to log out</a>"); } } (Continued on page 2) Related Tutorials:
|