Recipe 15.5 Logging Out a User

Problem

You want to log out a user in a system that uses form-based authentication.

Solution

Call invalidate( ) on the user's HttpSession object.

Discussion

Invalidating a user's HttpSession object will log the user out in an application that uses form-based authentication. Naturally, this code involves calling HttpSession.invalidate( ). Example 15-8 displays some information about a logged-in user, then logs him out by invalidating his session. The next time this user requests a protected resource, the web application will send him to the configured login page, because he has been logged out of the application.

Example 15-8. Logging out a user

package com.jspservletcookbook;           

import javax.servlet.*;
import javax.servlet.http.*;

public class LogoutServlet extends HttpServlet {

  public void doGet(HttpServletRequest request, 
    HttpServletResponse response)throws ServletException, 
      java.io.IOException {
    
       HttpSession session = request.getSession( );
       response.setContentType("text/html");
       java.io.PrintWriter out = response.getWriter( );
       out.println(
       "<html><head><title>Authenticated User Info</title></head><body>");
           out.println("<h2>Logging out a user</h2>");
       out.println("request.getRemoteUser( ) returns: ");
       //get the logged-in user's name
       String remUser = request.getRemoteUser( );
       //Is the request.getRemoteUser( ) return value null? If
       //so, then the user is not authenticated
       out.println(remUser == null ? "Not authenticated." : remUser );
       out.println("<br>");
       out.println("request.isUserInRole(\"dbadmin\")  returns: ");
       //Find out whether the user is in the dbadmin role
       boolean isInRole = request.isUserInRole("dbadmin");
       out.println(isInRole);
       out.println("<br>");
       //log out the user by invalidating the HttpSession
       session.invalidate( );
       out.println("</body></html>");
      
  } //doGet
     
  public void doPost(HttpServletRequest request, 
    HttpServletResponse response) throws ServletException, 
      java.io.IOException {
       
      doGet(request,response);
         
  } //doPost

} //LogoutServlet

A logged-in user who requests this servlet sees the output in Figure 15-5. The servlet displays the return values of HttpServletRequest.getRemoteUser( ) (the username) and HttpServletRequest.isUserInRole( ) . The latter method returns a boolean value indicating whether the user is associated with the role specified by the method's String parameter.

Figure 15-5. A servlet shows some user-related information before logging out the user

The servlet then invalidates the user's session to log her out. Rerequesting the servlet produces the output shown in Figure 15-6.

Figure 15-6. The servlet's output indicates a logged-out user

See Also

The Tomcat documentation and Recipe 15.2 on setting up SSL for use with authentication: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html; Recipe 3.9 on restricting requests for certain servlets; Recipe 15.6-Recipe 15.9 on using JAAS.