tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chema <demablo...@gmail.com>
Subject Realm & SSL : issue when logout
Date Wed, 07 Sep 2011 11:20:54 GMT
Hello:

I've got a web application running on Tomcat 7.0.16
It uses realm authentication to validate users ( FORM login method
with a custom login page named login.html)
and it's secured by SSL with

<security-constraint>
  <web-resource-collection>
    	<web-resource-name>ssl</web-resource-name>
        <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

So, if I write https://localhost:8080/protected.html, Tomcat redirect
to my login.html page to authenticate the user,
and , if it's valid,  returns main.html.
All fine


The web application has got a service to implement a logout with 2 steps:

- session.invalidate()
- redirect to protected.html


Well, when I invoked last service, I hoped that when redirecting to
protected.html, as I invalidated session before and protected.html is
a protected resource, Tomcat redirected my browser to login.html.
But didn't : protected.html was returned.

If I repeat this steps without SSL configuration , Tomcat does
(redirects my browser to login.html)


What I need to finish a SSL session and realm mechanism knows it ?


Thanks and regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message