3 Replies Latest reply on Apr 4, 2002 3:00 AM by Daniel Williams

    Logout with web container-managed security

    Wellie Chao Newbie

      I've looked around here and on the struts mailing list and have found some conflicting advice on how to log out a user when using container-managed security and form-based login. I'm running JBoss 3.0 beta with Tomcat 4.0.2. Some people have said session.invalidate() will log out the user, but this doesn't seem to work. I get the following error when I try it:

      ApplicationDispatcher[/rmjobs] Servlet.service() for servlet jsp threw exception
      java.lang.IllegalStateException: getAttribute: Session already invalidated

      This leads me to believe that JBoss/Tomcat is not using the session to store the authentication information. Does anyone have a good way of logging the user out that is also portable to other app servers? I'd settle for something that works with JBoss/Tomcat right now, since I can't even get that to work at the moment.

        • 1. Re: Logout with web container-managed security
          Daniel Williams Newbie

          I have a similar problem (although that's not what you wanted to hear right?)

          I am using JBoss 2.4.4/Tomcat4.0.1. I have deployed a WAR file (e.g. mywar.war) which is a standard webapp using JSP/FORM based logon.

          It logs in and starts an applet.

          As soon as the applet tries to call on the servlet, the servlet says it has an invalid session.

          Under Apache/Tomcat, it works fine.

          The servlet is using the following code to test the validity of the session:
          if (! req.isRequestedSessionIdValid() || req.getRemoteUser() == null || req.getSession(false) == null)
          {
          //return session status
          ...
          }

          Any feedback would be welcome. :-)

          • 2. Re: Logout with web container-managed security
            Wellie Chao Newbie

            I actually figured mine out. I am using struts and tiles. It turned out that I was inadvertently referencing the session object because struts and/or tiles were using the session. In order to fix the problem, I ended up creating a request-scope attribute named doSessionInvalidate and then at the very end of the processing I check if it is true. If so, I invoke session.invalidate(). Hope this helps.

            • 3. Re: Logout with web container-managed security
              Daniel Williams Newbie

              Unfortunately not. I have handling to check the validity of the session and this seems to work. I get past the login page then as soon as my Applet tries to call my Servlet, the session has expired/invalidated.