Solved

Implementing logout with BASIC Security

Posted on 2003-10-26
9
220 Views
Last Modified: 2010-04-01
Hi,

I have implemented BASIC security for my assignment. I defined Users and Groups in Weblogic and then defined roles and allowed users in Deployment descriptor.

Now I have found out that I have to implemnet log out as well. I was wondering if there is any way I could achieved this using BASIC security? It doesn't have to be complicated, as long it does the job!

If there is not a way, should I change all my security structure to use Forms or there is some hybrid possible with Forms and BASIC security?

Thanks for you're help!
0
Comment
Question by:R_a_V_e_N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:jimmack
ID: 9625593
I thought that this happened when you invalidated the session using HttpSession.invalidate().
0
 

Author Comment

by:R_a_V_e_N
ID: 9625664
I don't think so.
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9627389
Sorry Raven ;-)

I found this though.  It may help :-)

http://groups.yahoo.com/group/jrun-interest/message/9534
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:R_a_V_e_N
ID: 9629037
Thanks for your help jimmack!

But I still don't think this will work. This is more related to forms security. Following is the copy & paste from the site you gave:

e.g..
1) user click on link to jsp page
2) jsp page invalidates the session
3) jsp page creates a new session
4) set the flag in session
5) when the user tries a protected link...
a) get session
b) check for flag
c) .. if it is there deny and unset flag
d) other wise do normal validation stuff

This will force the browser to reprompt for user name and password. NOTE ie will show login screen netscape will say login attempt failed and as if they want to retry

I understand upto 5b, but 5c and 5d don't make sense to me. If I unset the flage how will it force the browser to redisplay login page? Also, what exactly is meant by deny?

Thanks for your help!
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9640751
Sorry for the late response.  I've had two frustrating days of not being able to resolve the EE URL :-(

You are right, 5c and d are not exactly "clear" ;-) and it does seem to use the same session invalidation that is more applicable to form based security.

I think I need to dig out my "More Servlets and JSPs" book to find out more about how basic security manages the login info.  (My first comment was based on the idea that it would be via the session).  Obviously there must be something stored somewhere that becomes invalid at some stage, otherwise a user would always have access when they've logged in once :-)

I'll go hunting for my book when I get chance (unless you can already explain it.  That might save time ;-)).
0
 

Author Comment

by:R_a_V_e_N
ID: 9641176
"...and that it is very difficult to log in as a different user once you are authenticated. In fact, once authenticated, you have to quit the browser and restart if you want to log in as a different user! Now, in principle it is possible to write a “relogin” servlet that sends a 401 Unauthorized status code and a WWW-Authenticate header containing the appropriate realm. But, that is hardly “declarative” security!"

Thats from More Servlets and JSPs. Actually, FORMs security is not difficult as I first thought. It is almost same as this, except I have to provide Login and Error pages.

Is this relogin servlet difficult to write? or is my best bet to change to FORMs security?

Thanks for you're help jimmack!



0
 
LVL 15

Accepted Solution

by:
jimmack earned 30 total points
ID: 9641424
Nice one ;-)

Marty Hall is a seriously good author.  I really like his books :-)

The relogin servlet shouldn't be difficult to write, just a bit cumbersome.  You'll need to use the session information to determine when a user is logged in or logged out.  If the session variable indicates logged out, then you return the 401 return code and set the header.  When they log in, you set the session variable.....

I think I'm describing the way that Forms security works :-)

OK.  Use forms unless there are any specific reasons why you shouldn't ;-)

Jim.
0
 

Author Comment

by:R_a_V_e_N
ID: 9641440
fair enuff, forms are quite easy!

Thanks for you're help :)))
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9641490
No problem.

Have fun ;-)
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EJB MDB example 4 93
Struts tiles for layout structure along with Angular JS. 4 184
if statement not resolving in my code 5 56
spring example non maven 4 106
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Configuring Remote Assistance for use with SCCM
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question