How do you force a logout for an authenticated user

713 views
Skip to first unread message

Dave

unread,
Nov 2, 2006, 5:51:47 PM11/2/06
to Google Web Toolkit
We have a large GWT application which is deployed on BEA Weblogic. The
GWT app is part of a web application. We use the standard HTML form
authentication to login users.

We'd like to have a Logout button on our GUI, but we are unable to get
GWT to perform the logout.

The button has a call to an RPC method and in the servlet
implementation of the RPC call we have code like the following.

public void logoutUser() {
HttpServletRequest req = getThreadLocalRequest();
HttpSession session = req.getSession();
session.invalidate();
weblogic.servlet.security.ServletAuthentication.logout(req);
}

The last API is a weblogic specific API, but I would think killing the
session should do the same thing.

The problem is that if the GWT GUI is still active, the user can click
on another element and the session will be reestablished.

I guess we could disable the main GUI of the the app. In our case the
code for the logout button is in our main application module.

What are other folks doing?

Dave

unread,
Nov 2, 2006, 6:11:11 PM11/2/06
to Google Web Toolkit
Firefox in particular is a problem

mP

unread,
Nov 2, 2006, 6:12:27 PM11/2/06
to Google Web Toolkit
Have you tried reloading the GWT powered apps page ?

Because you invalidated/killed the session the browser cookie should
now be invalid and so the user would need to reauthenticate.

Dave

unread,
Nov 2, 2006, 8:03:51 PM11/2/06
to Google Web Toolkit
We're trying to use the normal J2EE security model for authentication
of users. I know our users have been forced to authenticate because the
RPC calls are working. Our RPC servlets require the user to possess a
role before they will even run.

The problem I have is if I have my server running, open a browser
login, use my logout button as shown and then come back to the site,
I'm still logged in. It is almost like GWT is remembering the session
and that is somehow cached in the browser.

Dave

Dave

unread,
Nov 2, 2006, 8:41:27 PM11/2/06
to Google Web Toolkit
I used the Tamper Data extension of Firefox to watch the HTTP request
and response traffic. The session does end when I run my logout code.
When I click on a link back to my site I would expect the software to
ask me to login again, but I am not asked to login. Instead I get a new
session without a login.

dominik_steiner

unread,
Nov 3, 2006, 1:45:38 AM11/3/06
to Google Web Toolkit
Hi Dave,

i'm not sure about what j2ee security model your talking, but we use in
our app a filter which checks if the user is logged on.

so my logout link refers to a jsp which basically just does this:

<%
session.invalidate();
response.sendRedirect("redirect.jsp");
%>

and the redirect page does

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>
<c:redirect url="index.html"/>

And as the session is invalidated, the filter recognizes the new page
load as new user, so he needs to authenticate himself again.

Hope this helps.

Dominik

Reply all
Reply to author
Forward
0 new messages