-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/20/2011 2:01 PM, Christopher Schultz wrote:
> I had to use mod_asis and stick this file ("logout") on my disk:
>
> Status: 401 Unauthorized WWW-Authenticate: Basic realm="My Realm"
Here is my config if anyone is interested:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/17/2011 9:31 AM, André Warnier wrote:
> Christopher Schultz wrote: ...
>
> Thanks for all these explanations. And as an aside :
>
>> The only way to terminate a BASIC login is to issue another 401
>> response,
>
> I did not even know th
Thanks Christopher.
Great explanation.
Finally, my problem was solved by upgrading up to Tomcat 7.0.21
On 7.0.16, my application doesn't work fine with SSL & realm ( see
previous emails )
Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine.
Regards
2011/9/16 Christ
Christopher Schultz wrote:
...
Thanks for all these explanations.
And as an aside :
The only way to
terminate a BASIC login is to issue another 401 response,
I did not even know that this worked. Does it really ?
Until now, I thought that the only way to get rid of a BASIC authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/16/2011 1:38 PM, André Warnier wrote:
> I guess that where the OP (and I) get a little confused is in the
> distinction between the state of "having a session" and "being
> logged-in", and maybe the sequence in which these things happen.
Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging
LoginServlet
com.server.servlet.LoginServlet
LoginServlet
/login.do
LogoutServlet
com.server.servlet.Lo
Chris,
Christopher Schultz wrote:
...
Why do you think that HttpSession.invalidate() should act as a log out
mechanism when using CLIENT-CERT authentication?
I guess that where the OP (and I) get a little confused is in the distinction between the
state of "having a session" and "being logged
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 9/16/2011 1:25 PM, Chema wrote:
>>
>> Presumably, you are using CLIENT-CERT as your ?
>
> No, [I am using] FORM method
Hmm. HttpSession.invalidate() *is* the proper way to terminate a
"FORM" authentication login.
> session.invalidate();
>
> Presumably, you are using CLIENT-CERT as your ?
Not , FORM method
>
>> When I invalidate() a session ( session.invalidate() ) , Tomcat
>> doesn't know it and thinks that user is still logged in So, that
>> user can get protected pages. Tomcat should return him a login
>> window but doesn't.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 9/16/2011 7:37 AM, Chema wrote:
> Ive got a web application running on Tomcat 7, with SSL (https)
> and realm for authentication/authorization
Presumably, you are using CLIENT-CERT as your ?
> When I invalidate() a session ( session.invali
Hello:
Ive got a web application running on Tomcat 7, with SSL (https) and
realm for authentication/authorization
When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in
So, that user can get protected pages. Tomcat should return him
11 matches
Mail list logo
