问题
A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?
Most (all?) the books and tutorials I have seen show how to add a login/loginerror page to their application and demonstrate the use of security principals/roles/realms etc using the \"j_security_check\" method - all good. But then it\'s not clear how to give the user the power to logout. Indeed, how can I force a logout after, say, the session times out, etc?
回答1:
You should have logout servlet/jsp which invalidates the session using the following ways:
- Before Servlet 3.0, using
session.invalidate() methodwhich invalidates the session also. - Servlet 3.0 provides a API method
HttpServletRequest.logout()which invalidates only the security context and the session still exists.
And, the Application UI should be providing a link which invokes that logout servlet/jsp
Question: Indeed, how can I force a logout after, say, the session times out, etc?
Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.
回答2:
You can do it programmatically using the logout()-Method of HttpServletRequest. There is also a corresponding method for login in with username and password. These methods have been added in Servlet 3.0, so they're available in Java EE 6.
A timeout is a different beast and can be specified in web.xml as following:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The time unit is minutes.
回答3:
Two step process -
1.create the logout page
2.create a session bean with a logout method
STEP A: The Logout Page
<div class="mytext">
<p>Hello #{userSession.username}, </p>
<p><h:outputText value="It doesn't seem you're logged in anyway..." rendered="#{!userSession.userLoggedIn}" /></p>
</div>
<h:form class="mytext" rendered="#{userSession.userLoggedIn}" >
<h:panelGrid columns="2" >
<h:outputLabel value="Do you want to logout?" for="logout" />
<p:commandButton value="Logout" id="logout" action="#{userSession.logout}" />
</h:panelGrid>
</h:form>
STEP B: Session Bean Backing Code (snippet)
public String logout() {
HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
session.invalidate();
return "/index?faces-redirect=true";
}
public boolean isUserLoggedIn() {
String user = this.getUsername();
boolean result = !((user == null)|| user.isEmpty());
return result;
}
/** Get the login username if it exists */
public String getUsername() {
String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
return user;
}
来源:https://stackoverflow.com/questions/10893727/how-to-properly-logout-of-a-java-ee-6-web-application-after-logging-in