How to log out a web application secured by secure domain? [answered]
ybxiang.china Mar 28, 2013 7:19 AMDear guys,
My web application works well with the security domain configured in jboss 7.2.
But I can NOT logout the web application.
Please help me. Thank you very much.
1. jboss-web.xml in my web application:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/ybxiang-forum-jaas-security-domain</security-domain>
</jboss-web>
2. web.xml in my web application:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" ...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>JSF resources</web-resource-name>
<description>Protects JSF resources</description>
<url-pattern>/faces/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ybxiang forum Authorization</realm-name>
</login-config>
</web-app>
When I visit my home page with web browser(firefox / IE), one dialog like this is poped out.
Now, I input my account, the home page is displayed. I think the login works well, because #{request.getUserPrincipal().getName()} in my navigator can tell me the login info correctly:
3. navigator.xhtml
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html">
<div>
<h:form id="search" >
<table width="100%" border="0" cellpadding="0" cellspacing="0" >
<tr>
<td width="50%">
<h:outputLink value="#{request.contextPath}/faces/index.xhtml" >
<h:outputText value="Home" />
</h:outputLink>
<h:outputText value=" " />
<font color="red">
<h:outputText value="Welcome #{request.getUserPrincipal().getName()}" />
</font>
</td>
<td width="50%" style="text-align: right;" >
<h:graphicImage value="/img/biggrin.gif" style="border:0px;" />
<h:outputText value=" " />
<h:outputLink value="#{request.contextPath}/faces/search.xhtml" >
<h:outputText value="Search" />
</h:outputLink>
<h:outputText rendered="#{request.getUserPrincipal() == null}" value=" " />
<h:outputLink rendered="#{request.getUserPrincipal() == null}" value="#{request.contextPath}/faces/login.xhtml" >
<h:outputText value="Login" />
</h:outputLink>
<h:outputText rendered="#{request.getUserPrincipal() == null}" value=" " />
<h:outputLink rendered="#{request.getUserPrincipal() == null}" value="#{request.contextPath}/faces/register.xhtml" >
<h:outputText value="Register" />
</h:outputLink>
<h:outputText value=" " />
<h:outputLink rendered="#{request.getUserPrincipal() != null}" value="#{request.contextPath}/logoutServlet" >
<h:outputText value="Log out" />
</h:outputLink>
</td>
</tr>
</table>
</h:form>
</div>
</ui:composition>
4. logout Servlet
import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * http://www.technicaladvices.com/2012/07/08/the-effective-java-logout-servlet-code/ */ @WebServlet("/logoutServlet") public class LogoutServlet extends HttpServlet { private static final long serialVersionUID = 1L; protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setHeader("Cache-Control", "no-cache, no-store"); response.setHeader("Pragma", "no-cache"); // request.getSession().invalidate();//remove session. request.logout();//JAAS log out! do NOT work? (servlet specification) //response.sendRedirect(request.getContextPath() + "/login.jsp"); response.sendRedirect(request.getContextPath()); } }
After I click the "Log out" Link, I found LogoutServlet is called as expect (I run jboss in debug mode in eclipse+jboss tools).
But, after redirect to the home page or refresh home page many times, the navigator shows still the same:
It is NOT logged out, the Authentication dialog does NOT appear again!
What is the matter?
Please help me.
Thanks in advance.