Skip to Main Content
Forums

Java Programming

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How do you logout of a page using basic JEE authentication ?

colin the aardvark-OracleAug 29 2012 — edited Sep 6 2012
Hi all,
the question is how to logout of a jee session.

scenario :
I've put together a very simple test which works fine: a war file with just two servlets in, both generating the flat HTML to link to each other. One page is /welcome and the other is /secure .
I have gone into realms in weblogic and set up a URL pattern of /secure against a user , role and policy. This all now works FINE.
I navigate to /welcome and it looks good, navigate to /secure and a popup appears asking for user and password. I login as the user, and the content of the page is shown,
with a wrong user or incorrect password you get a few more goes until you see 403 Forbidden.
So this all works fine.

The question is how to logout.
Googling around it seems there's a whole bunch of API calls you can use for this; some do just the session, some do the cookie, some do for only the current web application some techniques do for all web apps.
So to be on the safe side, I decided to nuke everything and used all the calls I could find. I created a new link called logout which calls the following procedure :

public void mylogout(HttpServletRequest myrequest){
HttpSession mysession = myrequest.getSession (true);
weblogic.servlet.security.ServletAuthentication.logout(myrequest);
mysession.invalidate();
weblogic.servlet.security.ServletAuthentication.invalidateAll(myrequest);
weblogic.servlet.security.ServletAuthentication.killCookie(myrequest);
}


This runs fine, and the cookie is deleted from the browser. But as soon as I reclick on the /Secure link, it does not ask me to log in again but instead just shows the secure data, which is shouldn't.
Browser is set to check for new pages always. I coded a out.println("Time is: " + System.currentTimeMillis()); on the /secure page, just to be sure the browser was not caching it, and it isn't.

It seems as soon as I click on any link, either secure or non-secure, the server just re-creates the JSESSIONID cookie.
If I test in IE, at least I can close the browser down, fire it up again and the login will again be presented. But in Chrome it just keeps displaying the secure data.

Can anyone give me a simple correct bit of code to perform basic j2ee authentication log out ? Remember this basic authentication is coming from weblogic, there is nothin gin the local app's deployment descriptors.

thanks!
:-)
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 4 2012
Added on Aug 29 2012
4 comments
1,236 views