tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael's new Comcast Account <>
Subject Please help with JDBCReam logout problem
Date Tue, 18 Jun 2002 20:29:15 GMT
I am using a JDBCRealm for user authentication with form-based
authentication and Tomcat 4.0.3 (see config info below). I've also
configured an HttpSessionListener that prints a message when a session is
created or destroyed. A page called home.jsp is used as the default page.

When I access the URL of the app, I see a session created and I get the
login form. I log in as, for example, user1. I then see the home.jsp page. I
then log out by calling a Struts Action where I call session.invalidate().
Source shown below. I can see the session being destroyed.

Now, if I log in as another user, say user2, I sometimes get in as user2 and
sometimes get in as user1. I can tell the difference because the two users
have different roles that govern what is printed on the home page.

This is a real security problem because a user with fewer privileges (roles)
can log on right after a user with more privileges and sometimes get logged
in as the user with more privileges.

Help would be greatly appreciated.


--- In server.xml ----------------------------------------------------
 <!-- DCE Context -->
<Context path="/dce" docBase="dce"
    debug="0" reloadable="true">
    <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="5"
        userTable="users" userNameCol="user_name" userCredCol="user_pass"
        userRoleTable="user_role" roleNameCol="role_name" />
--- In web.xml ---


--- In ---

package com.arinc.dce.actions;

import org.apache.struts.action.Action;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.SQLException;


public class LogoutAction extends Action {
 public ActionForward perform(ActionMapping mapping,
           ActionForm form,
           HttpServletRequest request,
           HttpServletResponse response)
  throws IOException, ServletException {

  System.out.println("inside LogoutAction");

  // Just invalidate the session and return the user to the home page

  ActionForward f = mapping.findForward("thanks");
  System.out.println("got ActionForward " + f);
  return f;

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message