使用Tomcat基本身份验证的Web应用程序注销 [英] Logout from web app using tomcat Basic authentication

问题描述

我使用Tomcat基本验证了我的web应用程序：

I am using tomcat basic authentication for my web app:

我添加以下几行，我的web应用程序到web.xml：

I added following lines to web.xml in my web app:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>webpages</web-resource-name>
            <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>

    <user-data-constraint>
        <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>*</role-name>
</security-role>

我的退出链接：

<h:commandLink value="Logout" action="#{userBean.logout}" />

我的退出链接动作：

My logout link action:

public void logout() throws IOException
{
    FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
    FacesContext.getCurrentInstance().getExternalContext().redirect("add_international_job.faces");
}

现在注销时被调用，它重定向到另一个页面应该要求身份验证。但是随着用户在PS记录它呈现：当用户第一次类型的地址栏中同一页面的网址，他是认证挑战psented $ P $（这意味着有是使该网页没问题密码保护）。

Now when logout is called, it redirects to another page which should require authentication. But it is rendered as the user is logged in. PS: when the user first time types the url of the same page in address bar, he is presented with authentication challenge(it means that there is no problem in making that page password protected).

推荐答案

您正在使用HTTP 基本认证而不是HTTP FORM 与 j_security_check 。在基本身份验证是由授权从浏览器端请求头，这是会话进行独立的。

You're using HTTP BASIC authentication instead of HTTP FORM authentication with j_security_check. The BASIC authentication is done by Authorization request header from the browser side, which is session independent.

要强制注销关于基本验证，服务器基本上需要返回401响应。

To force a "logout" on BASIC authentication, the server basically needs to return a 401 response.

FacesContext facesContext = FacesContext.getCurrentInstance();
ExternalContext externalContext = facesContext.getExternalContext();
externalContext.invalidateSession();
externalContext.responseSendError(401, "You are logged out.");
facesContext.responseComplete();

这将present一个HTTP 401错误页面，这是自定义为＆LT;错误页＆GT; 在的web.xml 。

This will present a HTTP 401 error page which is customizable as <error-page> in web.xml.

您可以改为还元刷新，使终端用户被重定向到作为元刷新头内容中指定所需的目标页面返回一个HTML页面。

You can instead also return a HTML page with meta refresh so that the enduser is redirected to the desired target page as specified in the meta refresh header content.

FacesContext facesContext = FacesContext.getCurrentInstance();
ExternalContext externalContext = facesContext.getExternalContext();
externalContext.invalidateSession();
externalContext.setResponseStatus(401);
externalContext.getResponseOutputWriter().write("<html><head><meta http-equiv='refresh' content='0;add_international_job.faces'></head></html>");
facesContext.responseComplete();

这看来确实pretty低的水平，哈克，但基本认证也pretty低的水平。使用 FORM 验证时，这是没有必要的。就在会议无效，并发送一个正常的重定向应 FORM 认证工作。

This seems indeed pretty low level and hacky, but the BASIC authentication is also pretty low level. This isn't necessary when using FORM authentication. Just invalidating the session and sending a normal redirect should work for FORM authentication.

这篇关于使用Tomcat基本身份验证的Web应用程序注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！