How to properly logout of a Java EE 6 Web Application after logging in

java security jakarta-ee servlets logout

Solution 1:

You should have logout servlet/jsp which invalidates the session using the following ways:

  • Before Servlet 3.0, using session.invalidate() method which invalidates the session also.
  • Servlet 3.0 provides a API method HttpServletRequest.logout() which invalidates only the security context and the session still exists.

And, the Application UI should be providing a link which invokes that logout servlet/jsp

Question: Indeed, how can I force a logout after, say, the session times out, etc?

Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.

Solution 2:

You can do it programmatically using the logout()-Method of HttpServletRequest. There is also a corresponding method for login in with username and password. These methods have been added in Servlet 3.0, so they're available in Java EE 6.

A timeout is a different beast and can be specified in web.xml as following:

<session-config>
  <session-timeout>30</session-timeout> 
</session-config>

The time unit is minutes.

Solution 3:

Two step process -

1.create the logout page
2.create a session bean with a logout method

STEP A: The Logout Page

<div class="mytext">
    <p>Hello #{userSession.username}, </p>
    <p><h:outputText value="It doesn't seem you're logged in anyway..." rendered="#{!userSession.userLoggedIn}" /></p>
</div>
    <h:form class="mytext" rendered="#{userSession.userLoggedIn}" >
        <h:panelGrid columns="2"  >
            <h:outputLabel value="Do you want to logout?" for="logout"  />
            <p:commandButton value="Logout" id="logout" action="#{userSession.logout}" />                                      
        </h:panelGrid>
    </h:form>

STEP B: Session Bean Backing Code (snippet)

public String logout() {
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
    session.invalidate();
    return "/index?faces-redirect=true";
}

public boolean isUserLoggedIn() {
    String user = this.getUsername();
    boolean result = !((user == null)|| user.isEmpty());
    return result;
}

/** Get the login username if it exists */
public String getUsername() {
    String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
    return user;
}

Related

Spring, Jackson and Customization (e.g. CustomDeserializer)
OracleParameter and IN Clause
Difference between import tkinter as tk and from tkinter import
Weird colors in XCode Interface Builder?
Generating JPA2 Metamodel from a Gradle build script
How do i add names in /tellraw [duplicate]
In Symfony2, why is it a bad idea to inject the service container, rather than individual services?
How to test for blocks within a certain radius of a player?
Using a command to replace wool blocks with command blocks which contain a command
Pandas "Group By" Query on Large Data in HDFStore?
Replace blocks when broken in 1.9 minecraft
How can I /fill water?