tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Realm & SSL : issue when logout
Date Wed, 07 Sep 2011 11:36:27 GMT
On 07/09/2011 12:20, Chema wrote:
> Hello:
> 
> I've got a web application running on Tomcat 7.0.16
> It uses realm authentication to validate users ( FORM login method
> with a custom login page named login.html)
> and it's secured by SSL with
> 
> <security-constraint>
>   <web-resource-collection>
>     	<web-resource-name>ssl</web-resource-name>
>         <url-pattern>/*</url-pattern>
>   </web-resource-collection>
>   <user-data-constraint>
>     	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
>   </user-data-constraint>
> </security-constraint>
> 
> So, if I write https://localhost:8080/protected.html, Tomcat redirect
> to my login.html page to authenticate the user,
> and , if it's valid,  returns main.html.
> All fine
> 
> 
> The web application has got a service to implement a logout with 2 steps:
> 
> - session.invalidate()
> - redirect to protected.html
> 
> 
> Well, when I invoked last service, I hoped that when redirecting to
> protected.html, as I invalidated session before and protected.html is
> a protected resource, Tomcat redirected my browser to login.html.
> But didn't : protected.html was returned.
> 
> If I repeat this steps without SSL configuration , Tomcat does
> (redirects my browser to login.html)
> 
> 
> What I need to finish a SSL session and realm mechanism knows it ?

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message