On 06.10.2005, at 11:26, Alexandru Popescu wrote:
I was trying to figure out a solution for the MAGNOLIA-87 New Feature
(logout button would be nice).
My investigations showed me that for a correct logout functionality
the following must be done:
1/ set response status to SC_UNAUTHORIZED
2/ set response header WWW-Authenticate
3/ call SessionAccessControl.invalidateUser
4/ javax.jcr.Session.logout
What I am finding more difficult is a way to put this functionality to
work. And here I can think of 2 solutions:
1/ after the logout confirmation, create a request to a jsp or servlet
that is doing the aboves. But the scenario doesn't seem to work as:
- the user is prompted with the login dialog
- if he provides correct credentials the request URL is hitting again
the logout [jsp|servlet].
Do you know a way to make the request redirect to contextPath?
2/ after logout confirmation, create a cookie that will be process in
the filters (most probably in the SecurityFilter)
In this case the scenario may work as:
- the user is prompted with the login dialog
- if he provides correct credentials than the request URL is hitting
contextPath (it is oke)
- if he cancels than a small message can be displayed: You have been
logged out.
What do you think is the better way to do it?
I think we should definitely change to a form base authentication. I
think it's less effort to do this than to implement some tricky logout
mechanism for the basic authentication mechanism. Going through some
info found on the net it looks like that there is no solution we would
like to live with.
What do you think?
Philipp Bracher
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
