How to properly logout of a Java EE 6 Web Application after logging in
A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?
Most (all?) the books and tutorials I have seen show how to add a login/loginerror page to their application and demonstrate the use of security principals/roles/realms etc using the "j_security_check" method - all good. But then it's not clear how to give the user the power to logout. Indeed, how can I force a logout after, say, the session times out, etc?
Answer
You should have logout servlet/jsp which invalidates the session using the following ways:
- Before Servlet 3.0, using
session.invalidate() methodwhich invalidates the session also. - Servlet 3.0 provides a API method
HttpServletRequest.logout()which invalidates only the security context and the session still exists.
And, the Application UI should be providing a link which invokes that logout servlet/jsp
Question: Indeed, how can I force a logout after, say, the session times out, etc?
Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.