All works fine but the logout and the session destroy doesnt work and i dont know why.
Why i can get access to protected Area if session is invalidate or session-timeout is reach.
Look at this HTTP-Server-Monitor
'http://localhost:8080/psg/admin/'
<security-constraint>
<display-name>My First Sec Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
..
Login Servlet mapped to /admin/
HttpSession session = request.getSession();
if (session != null) {
session.setAttribute("ID", session.getId());
session.setAttribute("User", request.getRemoteUser());
session.setAttribute("isAuthenticated", true);
getServletContext().getRequestDispatcher("/index.jsp").forward(request, response);
}
Logout Servlet mapped to /admin/logout
HttpSession session = request.getSession(false);
if(session!=null){
session.invalidate();
response.sendRedirect(request.getContextPath());
}
The same issue if the session-timeout must be destroy the session. I can also get a valid session after this Duration if i enter the protected area /psg/admin/
<session-timeout>1</session-timeout>
In case of basic and digest authentication browser will resend user credentials, so effectively there is no logout, only session invalidation.
You need to use form-based authentication for logout to work.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.