tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Everman <>
Subject Re: Logout using FORM based authentication
Date Fri, 07 Jun 2002 21:56:49 GMT
There are definitely some issues involved here.

If you are working on a company site that will restrict access of the site 
to a list of people that is managed separately (ie the HR department or IT 
department adds a person as a user who is allowed to access the site), 
container managed security is for you.

If you are working on a site that you want to allow visitors to create 
profiles / logins on the fly, stick with your existing session key system.

The 'key' reason is this:  The servlet API provides no access to login 
mechanism - you cannot programmatically log a user in.  So if you direct a 
user to a 'create new login' page, you have no way to cause the user to be 
logged in after they have finished creating the login.  You can have your 
user's create a profile on one page, save the results to your security db, 
then have the user login on another page that posts to j_security_check, 
but there is no way to do it in one step - very confusing for casual visitors.

One nice feature of the 2.3 spec is filters, which to some degree will 
allow you to extend you session key security to behave *similarly* to the 
declarative security of the CMA.  By that I mean that by using a filter, 
you can configure the security in the web.xml file, rather then having to 
add tags or other logic to pages in order to protect them.

Best of luck,

Eric Everman

At 03:12 PM 6/7/2002, you wrote:
>Hi Eric,
>Thank you for verifying that. I've actually made my own authentication 
>before but when I read about container-managed authentication I realised 
>that that was exactly what I was looking for.
>Is there any reason for keeping the users login as a session attribute or 
>is it better to use request.getRemoteUser() ? What's the praxis?
>On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote:
>>Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was 
>>no longer logged in.  The 2.3 servlet spec states that a client is logged 
>>out when their session is invalidated.  So if Tomcat works as advertised, 
>>session.invalidate() should do what you expect.
>>Eric Everman
>>At 12:49 PM 6/7/2002, you wrote:
>>>I use a JDBC Realm with FORM based authentication but haven't figured 
>>>out a way for users to log out. Is it just to call session.invalidate() 
>>>or is there any better way to do it?
>To unsubscribe, e-mail:   <>
>For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message