how to implement production ready login logout functionality in servlet jsp

Question

My question is simple - how to implement login-logout in servlet jsp?

Following is the use case...

• I have a users table in DB with email,username and password
• I have a mapped bean object - User in java having email,username,password properties
• Simply I want to login by validating email and password BUT
• Once I login and then logout, when I click on back button, it should not retain the session.
  • It should not give any warning BUT simply should ask for login
  • If I copy-paste restricted resource's link, it should ask for login

What all solutions I've gone through...

• Some say to implement tomcat security using roles and bla bla... BUt I think I should not set username, passwords in some tomcat config file. Bcz the details are in DB table
• Some ask to implement no-cache, pragma bla bla... but never work
• Back button disable is foolish thing

**

What Help I am expecting from you guys ...?

**

• Is there any third-party API available to do this?
• How things are implemented in production ready applications ?
• Should I use JAAS, or any other security process for exactly above mentioned scenario OR WHAT
• Please give me some hint or solution how I should proceed implementing production ready login-logout in servlet-jsp

I've searched on internet but end up with simple Login examples or tomcat security roles etc. No one gives the actual solution. ANd please don't say that this question is NOT RELATED TO this FORUM.

Thanks

Answer 1

This happens because browser caches the web pages that are being loaded,you can prevent it by using filters and telling browser not to cache the web pages like below. doFilter method of Filter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
    response.setHeader("Pragma", "no-cache");
    response.setDateHeader("Expires", 0);

    HttpSession session = request.getSession(false);//don't create if session doesn't exist.

    if (session==null || session.getAttribute("username") == null) {
        RequestDispatcher rd=request.getRequestDispatcher("login");//dispatch it to your desired page i.e login page
        rd.forward(request, response);
    } else {
        chain.doFilter(req, res);  
    }
}

You should configure this filter inside web.xml or using Annotations for which url-patterns you want to filter.refer documentation for more details.

Answer 2

If you're using Tomcat then a good place to start is Tomcat Standard Realm Implementations .

It's important to remember that normal Java EE security authenticates users and authorises them using roles - even if you only have the one.

Once you have done that you can implement Logout by invoking a servlet which calls HttpServletRequest.logout() and then invalidates the HttpSession:

 request.logout();
 request.getSession().invalidate();

and then:

 response.sendRedirect("some protected page");

which should resolve your back button problem and land back on the login page.