3 Replies Latest reply on Apr 4, 2002 3:00 AM by dannz89

    Logout with web container-managed security

    wchao
    wchao Mar 30, 2002 9:04 PM

      I've looked around here and on the struts mailing list and have found some conflicting advice on how to log out a user when using container-managed security and form-based login. I'm running JBoss 3.0 beta with Tomcat 4.0.2. Some people have said session.invalidate() will log out the user, but this doesn't seem to work. I get the following error when I try it:

      ApplicationDispatcher[/rmjobs] Servlet.service() for servlet jsp threw exception
      java.lang.IllegalStateException: getAttribute: Session already invalidated

      This leads me to believe that JBoss/Tomcat is not using the session to store the authentication information. Does anyone have a good way of logging the user out that is also portable to other app servers? I'd settle for something that works with JBoss/Tomcat right now, since I can't even get that to work at the moment.

      • 3701 Views
      • Tags:
        • 1. Re: Logout with web container-managed security
          dannz89
          dannz89 Apr 2, 2002 11:42 AM (in response to wchao)

          I have a similar problem (although that's not what you wanted to hear right?)

          I am using JBoss 2.4.4/Tomcat4.0.1. I have deployed a WAR file (e.g. mywar.war) which is a standard webapp using JSP/FORM based logon.

          It logs in and starts an applet.

          As soon as the applet tries to call on the servlet, the servlet says it has an invalid session.

          Under Apache/Tomcat, it works fine.

          The servlet is using the following code to test the validity of the session:
          if (! req.isRequestedSessionIdValid() || req.getRemoteUser() == null || req.getSession(false) == null)
          {
          //return session status
          ...
          }

          Any feedback would be welcome. :-)

            • Actions
          • 2. Re: Logout with web container-managed security
            wchao
            wchao Apr 2, 2002 1:04 PM (in response to wchao)

            I actually figured mine out. I am using struts and tiles. It turned out that I was inadvertently referencing the session object because struts and/or tiles were using the session. In order to fix the problem, I ended up creating a request-scope attribute named doSessionInvalidate and then at the very end of the processing I check if it is true. If so, I invoke session.invalidate(). Hope this helps.

              • Actions
            • 3. Re: Logout with web container-managed security
              dannz89
              dannz89 Apr 4, 2002 3:00 AM (in response to wchao)

              Unfortunately not. I have handling to check the validity of the session and this seems to work. I get past the login page then as soon as my Applet tries to call my Servlet, the session has expired/invalidated.

                • Actions