Re: Example to logout on Tomcat 7 and SSL + Realm

Fri, 16 Sep 2011 10:58:22 -0700 

Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging

<?xml version="1.0" encoding="UTF-8"?>
<web-app>


  <!-- Authentication -->
  <servlet>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>com.server.servlet.LoginServlet</servlet-class>
  </servlet>

  <servlet-mapping>
        <servlet-name>LoginServlet</servlet-name>
        <url-pattern>/login.do</url-pattern>
  </servlet-mapping>

   <servlet>
    <servlet-name>LogoutServlet</servlet-name>
    <servlet-class>com.server.servlet.LogoutServlet</servlet-class>
  </servlet>

  <servlet-mapping>
        <servlet-name>LogoutServlet</servlet-name>
        <url-pattern>/logout.do</url-pattern>
  </servlet-mapping>

  <!-- Default page to serve -->
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

  <security-role>
        <role-name>admin</role-name>
  </security-role>
  <security-constraint>
  <web-resource-collection>
        <web-resource-name>ssl</web-resource-name>
        <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <security-constraint>
        <web-resource-collection>
        <web-resource-name>admin</web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        </auth-constraint>
  </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
    <realm-name>realm</realm-name>
    <form-login-config>
                    <form-login-page>/login.do</form-login-page>
                    <form-error-page>/error.do</form-error-page>
        </form-login-config>
  </login-config>
</web-app>

***************
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="8443"/>
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:\keystore.jks" keystorePass="tomcat" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS"/>

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>

<Engine defaultHost="localhost" name="Catalina">

                        <Realm 
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

                        <Host appBase="webapps" autoDeploy="true" 
name="localhost" unpackWARs="true">

                                <Realm className="com.realm.CustomRealm" 
dataSourceName="ds_admin"
digest="SHA" roleNameCol="role" userCredCol="password"
userNameCol="email" userRoleTable="group_role_user" userTable="user"/>
                                
                                <Valve 
className="org.apache.catalina.authenticator.SingleSignOn"/>

                        <Context crossContext="true" path="/login" 
reloadable="true"/>
<Context crossContext="true"  path="/admin" reloadable="true" /></Host>
</Engine>


2011/9/16 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chema,
>
> On 9/16/2011 1:25 PM, Chema wrote:
>>>
>>> Presumably, you are using CLIENT-CERT as your <auth-method>?
>>
>> No, [I am using] FORM method
>
> Hmm. HttpSession.invalidate() *is* the proper way to terminate a
> "FORM" authentication login.
>
>> session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager
>> mgr
>> =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
>>
>>
> mgr.invalidateSession();
>
> You don't need this SSL stuff. HttpSession.invalidate() ought to do
> the trick.
>
>> response.setHeader("Connection", "close");
>
> This is optional, and not usually necessary.
>
>> but didnt work. does anyone have worked with realm + SSL ? anyone
>> ?
>
> This definitely works.
>
> Are you saying that when you use HTTP instead of HTTPS, logouts work?
> That sounds really strange.
>
> Please post the relevant sections of web.xml and server.xml, and be
> sure to remove any sensitive information.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5ziX4ACgkQ9CaO5/Lv0PCitQCgwgv0Khtvabe0xJK0A5SYe0u0
> BlAAnRno9V/PAwyRKIs1s4cC/2oFz0GK
> =pshV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to