Wednesday, January 25, 2006

Form based authentication - logout

When using form based authentication in a J2EE application, the standard way to logout the user would be to invalidate the user session on the web server. In a simple servlet, the logout steps would look like this:

public void doGet(HttpServletRequest req, HttpServletResponse resp) throws
ServletException, IOException
{
req.getSession().invalidate();
resp.sendRedirect("/myapp/");
}


This is quite simple way for implementing logout. There is also another, easier, way to logout the user when using WebSphere Application Server. All you have to do is have a form with the action set to "ibm_security_logout".
< FORM METHOD=POST
ACTION="ibm_security_logout" NAME="logoutForm" >
Click this button to log out:
< input type="submit" name="logout" value="Logout" >
< INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/myapp/" >
< /form >


In the above example, the hidden field "logoutExitPage" is the page the user is sent to after logout.

5 comments:

  1. Thank you for your comment Saahil. If you went through my blog, you must have noticed that I do include relevant links in most of my posts. But for this particular one, I only had the Servlet 2.4 specification and the WebSphere InfoCenter (which is well known to most WebSphere users, but probably not to newbies), and hence I did not include any links. FYI, the infocenter contains extensive documentation for everything related to WebSphere Applicatin Server.

    ReplyDelete
  2. Although the use of ibm_security_logout may seem easier, it has two serious issues:
    1. It forces the web developer to assume that the application will be deployed with WebSphere (not very desirable if you wish to remain vendor-agnostic).
    2. Rather than adding to the typical implementation, WebSphere seems to have hijacked it (session.invalidate()) and forced developers to do something for reasons that aren't explained in WebSphere documentation.

    ReplyDelete
  3. Hira, I agree with you on the first point, but on the second one I **guess** they would be doing more than session.invalidate(), they would also be clearing the JAAS subject that will be created here. Please correct me if I am wrong.

    ReplyDelete
  4. For some reason every time I use form-based logout it always send me to the login page, regardless of the value in the logoutExitPage field. It only shows me the page I intended to show after I login in the page I was redirected to.

    ReplyDelete
  5. There is a substantial difference between HttpSession.invalidate() and ibm_security_logout: is WAS is relying upon LTPA for authentication and authorization, the former method won't invalidate the LTPA provider's token. As such, the user will be able to re-login without credentials even if the session is no longer valid.

    ReplyDelete

Popular Posts