1

Im developing a Simple web Application with Apache Tomcat and Java EE.

Im using my own JDBC Domain realm to secure and authenticate the users and I'm using a Basic authentication method with j_security_check.

I've implemented a logout Servlet and everything works fine. But when I logout, and i try to log in again, the application or the browser is using the previous credentials and it's not even asking for me to put in another credentials. It just automatically logs in using the lastest credentials used. Only when I reset the Server and close my browser (Chrome) tomcat asks again for credentials.

My objetive is to prevent this automatic login process. ¿Am I doing something wrong?

Update: My logout Servlet is doing the following:

response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");

request.getSession().removeAttribute("logonSessData");
request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/index.jsp");

My Login web.xml looks just like this:

<security-constraint>
    <display-name>userConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>User pages</web-resource-name>
        <description/>
        <url-pattern>/users/*</url-pattern>
        <url-pattern>/retos/misiones/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>user</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>SPERO</realm-name>
</login-config>
<security-role>
    <description>Usuario registrado de SPERO</description>
    <role-name>user</role-name>
</security-role>
<resource-ref>
    <description>Spero DataBase Connection Pool</description>
    <res-ref-name>jdbc/spero</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
Laurent.B
  • 213
  • 2
  • 14
chntgomez
  • 2,058
  • 3
  • 19
  • 31
  • What does your logout servlet doing? is it invalidating the session properly? – RP- Sep 10 '14 at 19:49
  • Yes, I have checked that when I send the wrong credentials data, the container denies the access. So I'm sure it's not a authentication issue – chntgomez Sep 11 '14 at 01:27

1 Answers1

0

If your application is Servlet 3.0 version you should use request.logout() in your logout servlet. It should properly invalidate session and remove user credentials see javadoc request.logout. If Tomcat doesn't implement it correctly you should call session.invalidate()

Gas
  • 17,601
  • 4
  • 46
  • 93
  • I also clear the cache before invalidating the session. That's not the root cause. – chntgomez Sep 11 '14 at 01:27
  • 1
    @chntgomez Please add your logout method to the question. And one clarification - you cannot use BASIC and j_security_check. j_security_check is for Form based. If you use Basic, credentials are stored in the browser and automatically resend. You have to switch to Form. – Gas Sep 11 '14 at 01:51
  • @chntgomez Are you log in through form or browser popup? And add web.xml to question, especially `` part. – Gas Sep 12 '14 at 07:00