How do I log out of an application that uses Form authentication?
Author: Deron Eriksson
Description: This tutorial describes how to log out of a Tomcat application using Form authentication.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20

Page:    1 2 >

As we saw in another tutorial, form authentication relies on session storage. As a result, if we invalidate a user's session via a session's invalidate() method, the user will be logged out of our application.

To demonstrate this, I built upon an earlier form-authentication project and added logout capabilities. The layout of the project is shown here.

Eclipse Navigator View

In Tomcat's server.xml file, I specify a regular connector for port 8080 and an SSL connector for port 4321.

    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="4321" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
    <Connector port="4321" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

The web.xmlW file has a TestServlet mapped to /test. If a user hits the servletW, web.xml's security-constraint specifies that the user must be authenticated and that the user must have the 'tomcat' role. The CONFIDENTIAL transport-guarantee redirects the user from a non-secure port to a secure port if a protected resource is requested. A login page (login.html) and a login error page (login-failed.html) are also specified in web.xml.


<?xml version="1.0" encoding="UTF-8"?>
<web-app id="tomcat-demo" version="2.4" xmlns="" xmlns:xsi=""

			<web-resource-name>TestServlet requires authentication</web-resource-name>


			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->


The index.html file is just a simple file we can hit.


Welcome to the tomcat-demo project

The login.html file allows a user to log into our application using the form specified in the file.


<form method="POST" action="j_security_check">
		<td colspan="2">Login to the Tomcat-Demo application:</td>
		<td><input type="text" name="j_username" /></td>
		<td><input type="password" name="j_password"/ ></td>
		<td colspan="2"><input type="submit" value="Go" /></td>

The login-failed.html file displays a simple error message.


Sorry, login failed!

The logout.jsp file allows us to log out a user. If this JSPW is hit, a scriptletS displays the user name and then invalidates the session, which logs out the user.


<%@ page session="true"%>

User '<%=request.getRemoteUser()%>' has been logged out.

<% session.invalidate(); %>

<a href="test">Click here to go to test servlet</a>

The TestServlet class displays the user name, displays all the headers, and has a link to the logout.jsp file.

package test;

import java.util.Enumeration;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class TestServlet extends HttpServlet {

	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
		PrintWriter out = response.getWriter();

		out.println("Welcome '" + request.getRemoteUser() + "'");

		Enumeration headerNames = request.getHeaderNames();
		while (headerNames.hasMoreElements()) {
			String headerName = (String) headerNames.nextElement();
			out.print("Header Name: <em>" + headerName);
			String headerValue = request.getHeader(headerName);
			out.print("</em>, Header Value: <em>" + headerValue);

		out.println("<a href=\"logout.jsp\">Click here to log out</a>");

(Continued on page 2)

Page:    1 2 >