tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael's new Comcast Account <michael.bowm...@Comcast.net>
Subject Please help with JDBCReam logout problem
Date Tue, 18 Jun 2002 20:29:15 GMT
I am using a JDBCRealm for user authentication with form-based
authentication and Tomcat 4.0.3 (see config info below). I've also
configured an HttpSessionListener that prints a message when a session is
created or destroyed. A page called home.jsp is used as the default page.

When I access the URL of the app, I see a session created and I get the
login form. I log in as, for example, user1. I then see the home.jsp page. I
then log out by calling a Struts Action where I call session.invalidate().
Source shown below. I can see the session being destroyed.

Now, if I log in as another user, say user2, I sometimes get in as user2 and
sometimes get in as user1. I can tell the difference because the two users
have different roles that govern what is printed on the home page.

This is a real security problem because a user with fewer privileges (roles)
can log on right after a user with more privileges and sometimes get logged
in as the user with more privileges.

Help would be greatly appreciated.

Michael

--- In server.xml ----------------------------------------------------
 <!-- DCE Context -->
<Context path="/dce" docBase="dce"
    debug="0" reloadable="true">
    <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="5"
        driverName="org.gjt.mm.mysql.Driver"
        connectionURL="jdbc:mysql://localhost/web_users?user=root"
        userTable="users" userNameCol="user_name" userCredCol="user_pass"
        userRoleTable="user_role" roleNameCol="role_name" />
</Context>
---------------------------------------------------------------------
--- In web.xml ---
<listener>
    <listener-class>com.arinc.dce.ProjectionLoader</listener-class>
</listener>

<welcome-file-list>
    <welcome-file>/home.jsp</welcome-file>
</welcome-file-list>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>dce</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>dce.user</role-name>
        </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>dce</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>
---------------------------------------------------------------------
--- In LogoutAction.java ---
// LogoutAction.java

package com.arinc.dce.actions;

import org.apache.struts.action.Action;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.SQLException;

import java.io.IOException;

public class LogoutAction extends Action {
 public ActionForward perform(ActionMapping mapping,
           ActionForm form,
           HttpServletRequest request,
           HttpServletResponse response)
  throws IOException, ServletException {

  System.out.println("inside LogoutAction");

  // Just invalidate the session and return the user to the home page
  request.getSession().invalidate();

  ActionForward f = mapping.findForward("thanks");
  System.out.println("got ActionForward " + f);
  return f;
 }
}
---------------------------------------------------------------------


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message