How do I log out of an application that uses Form authentication?
Author: Deron Eriksson
Description: This tutorial describes how to log out of a Tomcat application using Form authentication.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20
(Continued from page 1)
If we fire up our project and hit index.html, we see:
If we make a request for /test (the TestServlet), TomcatSW will redirect to the secure 4321 port. Since I created a self-signed certificate (covered in another tutorial ), Internet Explorer will display an error message. I clicked 'Continue to this website'.
Since /test requires authentication, the user is sent to the login.html file. Notice that the CONFIDENTIAL transport-guarantee redirects to the secure 4321 port.
I logged on using 'myname' as the user and 'mypassword' and the password. These were previously added to the tomcat-users.xml file with the 'tomcat' role, which is an auth-constraint role specified in web.xmlW as having access to /test. Since the user name and password are valid and they have the correct role, the user is authenticated and the TestServlet is displayed.
If I refresh the page, we can see that the JSESSIONID cookieW is present in the headers, indicating that sessions are being used.
I'll click on the 'Click here to log out' link, which points to logout.jsp.
The logout.jsp page logs out the user via the call to session.invalidate().
If I refresh logout.jsp, we see that the displayed user name is 'null', since the user is not logged in and authenticated.
If I click the 'Click here to go to test servlet' link, I am sent to the TestServlet URL.
Since the TestServlet requires authentication, I am sent to the login.html page, as expected.
As you can see, logging in and out of an application is quite easy using Form authentication.