tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chema <demablo...@gmail.com>
Subject Re: Realm & SSL : issue when logout
Date Wed, 07 Sep 2011 13:21:32 GMT
Thanks but that didn't work for me

I've got

<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:\keystore.jks" keystorePass="tomcat" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS"/>

in my server.xml

And I've created a SessionTrackingModeListener (just like manual) and
modified web.xml with this listener

And now I finish SSL Session with

session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
ServletContext context = this.getServletContext().getContext("/app");
if (context != null)
	response.sendRedirect(context.getContextPath() + "/protected.html" );


I hoped that login.html was return but protected.html is


I dont find any doc about realm + SSL  what 's wrong ?

Thanks and regards




2011/9/7 Mark Thomas <markt@apache.org>:
> On 07/09/2011 12:20, Chema wrote:
>> Hello:
>>
>> I've got a web application running on Tomcat 7.0.16
>> It uses realm authentication to validate users ( FORM login method
>> with a custom login page named login.html)
>> and it's secured by SSL with
>>
>> <security-constraint>
>>   <web-resource-collection>
>>       <web-resource-name>ssl</web-resource-name>
>>         <url-pattern>/*</url-pattern>
>>   </web-resource-collection>
>>   <user-data-constraint>
>>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>   </user-data-constraint>
>> </security-constraint>
>>
>> So, if I write https://localhost:8080/protected.html, Tomcat redirect
>> to my login.html page to authenticate the user,
>> and , if it's valid,  returns main.html.
>> All fine
>>
>>
>> The web application has got a service to implement a logout with 2 steps:
>>
>> - session.invalidate()
>> - redirect to protected.html
>>
>>
>> Well, when I invoked last service, I hoped that when redirecting to
>> protected.html, as I invalidated session before and protected.html is
>> a protected resource, Tomcat redirected my browser to login.html.
>> But didn't : protected.html was returned.
>>
>> If I repeat this steps without SSL configuration , Tomcat does
>> (redirects my browser to login.html)
>>
>>
>> What I need to finish a SSL session and realm mechanism knows it ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message