Servlet 3.0 注销不起作用
我在 Servlet 3.0 的身份验证功能方面遇到了问题:
使用 Servlet v3 中的此代码:
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
log.info("===^===");
request.logout() ;
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
request.authenticate(response) ;
log.info("===v===");
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
我总是期望看到用户名/登录窗口,因为 logout() 函数。相反,它似乎是一种“缓存”机制,可以重新填充凭据并取消我的注销......
管理员
基本
===^===
空
空
===v===
管理员
基本
这是我的 firefox 的问题,还是我在 Servlet 代码中缺少的内容?
I've got a problem with the authentication features of Servlet 3.0:
With this code in a Servlet v3:
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
log.info("===^===");
request.logout() ;
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
request.authenticate(response) ;
log.info("===v===");
log.info(""+request.getUserPrincipal());
log.info(""+request.getAuthType());
I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ...
Admin
BASIC
===^===
null
null
===v===
Admin
BASIC
Is it a problem with my firefox, or something I'm missing in the Servlet code?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这就是 HTTP BASIC AUTH 的设计方式,它允许将所有身份验证状态保留在客户端中。换句话说,使用基本/摘要式身份验证不可能注销,服务器无法阻止客户端在向服务器发出后续请求时缓存和重新发送 BASIC 身份验证器。
我的建议是使用基于表单的身份验证和
HTTPServletRequest。Glassfish v3 (
That's the way HTTP BASIC AUTH was designed, it allows all authenticate state to be kept in the client. In other words, its impossible to logout with basic/digest authentication, the server cannot stop a client from caching and resending a BASIC auth authenticator on subsequent requests to the server.
My suggestion is to use form based authentication and the
loginmethod ofHTTPServletRequest.References
两者都不是。登录后,浏览器将始终将您的用户 ID 和密码传递给 url。直到您重新启动浏览器。据我所知每个浏览器都是这样做的。据我所知,目前还没有办法告诉浏览器忘记凭据。
但是,注销后您会发现您的会话会有所不同。通常的解决方案是向会话添加某种变量。说“已登录”。如果缺少此变量,您就知道用户必须首先登录,并且您将重定向到login.jsp。一旦用户传递了这个jsp,您就再次设置这个变量。
使用过滤器,您可以在系统范围内强制执行此操作。
It's neither. Once logged in, the browser will always pass your user id and password to the url. Until you restart your browser. As far as I know each browser does that. And as far as I know there's currently no way to tell the browser to forget about the credentials.
However, you'll see your session will be different once you logged out. The usual solution is to add a variable of some kind to the session. Say "loggedin". If this variable is missing you know the user has to log in first and you'll redirect to say login.jsp. And once the user passed this jsp you set this variable again.
Using filters you can enforce this system-wide.