How do I log out of an application that uses Form authentication?
Author: Deron Eriksson
Description: This tutorial describes how to log out of a Tomcat application using Form authentication.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20

Page: < 1 2

(Continued from page 1)

If we fire up our project and hit index.html, we see:

Hitting index.html

If we make a request for /test (the TestServlet), TomcatSW will redirect to the secure 4321 port. Since I created a self-signed certificate (covered in another tutorial ), Internet Explorer will display an error message. I clicked 'Continue to this website'.

Attempting to hit TestServlet

Since /test requires authentication, the user is sent to the login.html file. Notice that the CONFIDENTIAL transport-guarantee redirects to the secure 4321 port.

Secure log-in

I logged on using 'myname' as the user and 'mypassword' and the password. These were previously added to the tomcat-users.xml file with the 'tomcat' role, which is an auth-constraint role specified in web.xmlW as having access to /test. Since the user name and password are valid and they have the correct role, the user is authenticated and the TestServlet is displayed.

Hitting TestServlet

If I refresh the page, we can see that the JSESSIONID cookieW is present in the headers, indicating that sessions are being used.

Refreshing browser window

I'll click on the 'Click here to log out' link, which points to logout.jsp.

Clicking to log out

The logout.jsp page logs out the user via the call to session.invalidate().

logout.jsp page

If I refresh logout.jsp, we see that the displayed user name is 'null', since the user is not logged in and authenticated.

Refreshing logout.jsp page

If I click the 'Click here to go to test servlet' link, I am sent to the TestServlet URL.

Clicking to go to TestServlet

Since the TestServlet requires authentication, I am sent to the login.html page, as expected.

Log-in page

As you can see, logging in and out of an application is quite easy using Form authentication.

Page: < 1 2