How to properly logout of a Java EE 6 Web Application after logging in

Question

A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?

Most (all?) the books and tutorials I have seen show h

Answer 1

You can do it programmatically using the logout()-Method of HttpServletRequest. There is also a corresponding method for login in with username and password. These methods have been added in Servlet 3.0, so they're available in Java EE 6.

A timeout is a different beast and can be specified in web.xml as following:

<session-config>
  <session-timeout>30</session-timeout> 
</session-config>

The time unit is minutes.

Answer 2

Two step process -

1.create the logout page
2.create a session bean with a logout method

STEP A: The Logout Page

<div class="mytext">
    <p>Hello #{userSession.username}, </p>
    <p><h:outputText value="It doesn't seem you're logged in anyway..." rendered="#{!userSession.userLoggedIn}" /></p>
</div>
    <h:form class="mytext" rendered="#{userSession.userLoggedIn}" >
        <h:panelGrid columns="2"  >
            <h:outputLabel value="Do you want to logout?" for="logout"  />
            <p:commandButton value="Logout" id="logout" action="#{userSession.logout}" />                                      
        </h:panelGrid>
    </h:form>

STEP B: Session Bean Backing Code (snippet)

public String logout() {
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
    session.invalidate();
    return "/index?faces-redirect=true";
}

public boolean isUserLoggedIn() {
    String user = this.getUsername();
    boolean result = !((user == null)|| user.isEmpty());
    return result;
}

/** Get the login username if it exists */
public String getUsername() {
    String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
    return user;
}    

Answer 3

You should have logout servlet/jsp which invalidates the session using the following ways:

• Before Servlet 3.0, using session.invalidate() method which invalidates the session also.
• Servlet 3.0 provides a API method HttpServletRequest.logout() which invalidates only the security context and the session still exists.

And, the Application UI should be providing a link which invokes that logout servlet/jsp

Question: Indeed, how can I force a logout after, say, the session times out, etc?

Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.