Recipe 15.5 Logging Out a UserProblemYou want to log out a user in a system that uses form-based authentication. SolutionCall invalidate( ) on the user's HttpSession object. DiscussionInvalidating a user's HttpSession object will log the user out in an application that uses form-based authentication. Naturally, this code involves calling HttpSession.invalidate( ) . Example 15-8 displays some information about a logged-in user, then logs him out by invalidating his session. The next time this user requests a protected resource, the web application will send him to the configured login page, because he has been logged out of the application. Example 15-8. Logging out a user package com.jspservletcookbook; import javax.servlet.*; import javax.servlet.http.*; public class LogoutServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response)throws ServletException, java.io.IOException { HttpSession session = request.getSession( ); response.setContentType("text/html"); java.io.PrintWriter out = response.getWriter( ); out.println( "<html><head><title>Authenticated User Info</title></head><body>"); out.println("<h2>Logging out a user</h2>"); out.println("request.getRemoteUser( ) returns: "); //get the logged-in user's name String remUser = request.getRemoteUser( ); //Is the request.getRemoteUser( ) return value null? If //so, then the user is not authenticated out.println(remUser == null ? "Not authenticated." : remUser ); out.println("<br>"); out.println("request.isUserInRole(\"dbadmin\") returns: "); //Find out whether the user is in the dbadmin role boolean isInRole = request.isUserInRole("dbadmin"); out.println(isInRole); out.println("<br>"); //log out the user by invalidating the HttpSession session.invalidate( ); out.println("</body></html>"); } //doGet public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException { doGet(request,response); } //doPost } //LogoutServlet A logged-in user who requests this servlet sees the output in Figure 15-5. The servlet displays the return values of HttpServletRequest.getRemoteUser( ) (the username) and HttpServletRequest.isUserInRole( ) . The latter method returns a boolean value indicating whether the user is associated with the role specified by the method's String parameter. Figure 15-5. A servlet shows some user- related information before logging out the userThe servlet then invalidates the user's session to log her out. Rerequesting the servlet produces the output shown in Figure 15-6. Figure 15-6. The servlet's output indicates a logged-out userSee AlsoThe Tomcat documentation and Recipe 15.2 on setting up SSL for use with authentication: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html; Recipe 3.9 on restricting requests for certain servlets; Recipe 15.6-Recipe 15.9 on using JAAS. |