JAAS logout example
Introduction
Following the first couple of articles related with JAAS, some readers requested a new article about the JAAS logout process.
This article will show how to logout users authenticated via JAAS and will be based in the following previous articles:
JAAS authentication in Tomcat example
JAAS form based authentication in Tomcat example
The following software and environment was considered:
- Ubuntu 12.04
- JDK 1.7.0.09
- Tomcat 7.0.35
The secure page
Once again this tutorial is based on a couple of previous tutorials as stated in the Introduction. If you are not familiar with the concepts that will be described next you should go first through those previous tutorials.
We will change the secure page used in JAAS form based authentication in Tomcat example article to include a logout link:
<?xml version="1.0" encoding="UTF-8" ?>
<%@ page language="java"
contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" />
<title>Welcome</title>
</head>
<body>
<%
String username = request.getRemoteUser();
%>
<span>Hello <%= username %>. This is a secure resource</span>
<br />
<a href="${pageContext.request.contextPath}/logout">Logout</a>
</body>
</html>
With this modification we will now notice a logout link when we access the secure page:
As we can see in the secure page source code the logout URL will be in this case:
http://localhost:8080/testapp/logout
Now we just need to handle the logout request. We will write a simple servlet for this purpose.
The logout Servlet
The logout servlet we just mentioned in the previous section may look like the following:
package com.byteslounge.jaas;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(name = "logoutServlet", urlPatterns = {"/logout"})
public class LogoutServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
// Invalidate current HTTP session.
// Will call JAAS LoginModule logout() method
request.getSession().invalidate();
// Redirect the user to the secure web page.
// Since the user is now logged out the
// authentication form will be shown
response.sendRedirect(request.getContextPath()
+ "/admin/admin.jsp");
}
}
We are just calling the standard HTTP session invalidation: HttpSession.invalidate()
As soon as this method gets called the logout method from the JAAS LoginModule will be called.
Just to recall the logout method from the LoginModule we implemented in the previous articles - as stated in this article Introduction section:
@Override
public boolean logout() throws LoginException {
subject.getPrincipals().remove(userPrincipal);
subject.getPrincipals().remove(rolePrincipal);
return true;
}
Basically we remove the Principals we had previously assigned to the authenticated subject when he first logged in into the system.
Downloadable sample
The tutorial source code is available for download at the end of this page.