Search code examples
javaapachejsptomcatj-security-check

Stop Tomcat to save user credentials

Im developing a Simple web Application with Apache Tomcat and Java EE.

Im using my own JDBC Domain realm to secure and authenticate the users and I'm using a Basic authentication method with j_security_check.

I've implemented a logout Servlet and everything works fine. But when I logout, and i try to log in again, the application or the browser is using the previous credentials and it's not even asking for me to put in another credentials. It just automatically logs in using the lastest credentials used. Only when I reset the Server and close my browser (Chrome) tomcat asks again for credentials.

My objetive is to prevent this automatic login process. ¿Am I doing something wrong?

Update: My logout Servlet is doing the following:

response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");

request.getSession().removeAttribute("logonSessData");
request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/index.jsp");

My Login web.xml looks just like this:

<security-constraint>
    <display-name>userConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>User pages</web-resource-name>
        <description/>
        <url-pattern>/users/*</url-pattern>
        <url-pattern>/retos/misiones/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>user</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>SPERO</realm-name>
</login-config>
<security-role>
    <description>Usuario registrado de SPERO</description>
    <role-name>user</role-name>
</security-role>
<resource-ref>
    <description>Spero DataBase Connection Pool</description>
    <res-ref-name>jdbc/spero</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
Solution

  • If your application is Servlet 3.0 version you should use request.logout() in your logout servlet. It should properly invalidate session and remove user credentials see javadoc request.logout. If Tomcat doesn't implement it correctly you should call session.invalidate()