I've got a problem with the authentication features of Servlet 3.0:
With this code in a Servlet v3:
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
log.info("===^===");
request.logout() ;
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
request.authenticate(response) ;
log.info("===v===");
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...
Admin
BASIC
===^===
null
null
===v===
Admin
BASIC
Is it a problem with my firefox, or something I'm missing in the Servlet code?
I would always expect to see the Username/login windows, because of the
logout()function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...
That's the way HTTP BASIC AUTH was designed, it allows all authenticate state to be kept in the client. In other words, its impossible to logout with basic/digest authentication, the server cannot stop a client from caching and resending a BASIC auth authenticator on subsequent requests to the server.
My suggestion is to use form based authentication and the login method of HTTPServletRequest.