How do I log out of an application that uses Form authentication?
Author: Deron Eriksson
Description: This tutorial describes how to log out of a Tomcat application using Form authentication.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20


Page:    1 2 >

As we saw in another tutorial, form authentication relies on session storage. As a result, if we invalidate a user's session via a session's invalidate() method, the user will be logged out of our application.

To demonstrate this, I built upon an earlier form-authentication project and added logout capabilities. The layout of the project is shown here.

Eclipse Navigator View

In Tomcat's server.xml file, I specify a regular connector for port 8080 and an SSL connector for port 4321.

    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="4321" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
               
    <Connector port="4321" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

The web.xmlW file has a TestServlet mapped to /test. If a user hits the servletW, web.xml's security-constraint specifies that the user must be authenticated and that the user must have the 'tomcat' role. The CONFIDENTIAL transport-guarantee redirects the user from a non-secure port to a secure port if a protected resource is requested. A login page (login.html) and a login error page (login-failed.html) are also specified in web.xml.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="tomcat-demo" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<servlet>
		<servlet-name>TestServlet</servlet-name>
		<servlet-class>test.TestServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>TestServlet</servlet-name>
		<url-pattern>/test</url-pattern>
	</servlet-mapping>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>TestServlet requires authentication</web-resource-name>
			<url-pattern>/test</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>

		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

		<user-data-constraint>
			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.html</form-login-page>
			<form-error-page>/login-failed.html</form-error-page>
		</form-login-config>
	</login-config>
</web-app>

The index.html file is just a simple file we can hit.

index.html


Welcome to the tomcat-demo project

The login.html file allows a user to log into our application using the form specified in the file.

login.html


<form method="POST" action="j_security_check">
<table>
	<tr>
		<td colspan="2">Login to the Tomcat-Demo application:</td>
	</tr>
	<tr>
		<td>Name:</td>
		<td><input type="text" name="j_username" /></td>
	</tr>
	<tr>
		<td>Password:</td>
		<td><input type="password" name="j_password"/ ></td>
	</tr>
	<tr>
		<td colspan="2"><input type="submit" value="Go" /></td>
	</tr>
</table>
</form>

The login-failed.html file displays a simple error message.

login-failed.html


<p>
Sorry, login failed!
</p>

The logout.jsp file allows us to log out a user. If this JSPW is hit, a scriptletS displays the user name and then invalidates the session, which logs out the user.

logout.jsp

<%@ page session="true"%>

User '<%=request.getRemoteUser()%>' has been logged out.

<% session.invalidate(); %>

<br/><br/>
<a href="test">Click here to go to test servlet</a>

The TestServlet class displays the user name, displays all the headers, and has a link to the logout.jsp file.

TestServlet.java

package test;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class TestServlet extends HttpServlet {

	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
		response.setContentType("text/html");
		PrintWriter out = response.getWriter();

		out.println("Welcome '" + request.getRemoteUser() + "'");
		out.println("<br/><hr/>");

		Enumeration headerNames = request.getHeaderNames();
		while (headerNames.hasMoreElements()) {
			String headerName = (String) headerNames.nextElement();
			out.print("Header Name: <em>" + headerName);
			String headerValue = request.getHeader(headerName);
			out.print("</em>, Header Value: <em>" + headerValue);
			out.println("</em><br/>");
		}

		out.println("<br/><hr/>");
		out.println("<a href=\"logout.jsp\">Click here to log out</a>");
	}
}

(Continued on page 2)

Page:    1 2 >