• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to Log out when auth-method is CLIENT-CERT?

 
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JBoss 4.2.4GA server. I guess this would be the same for other servers too.

Is there a way to log out user logged in with certificate and force browser to prompt for certificate selection again?

I have googled a bit, and it seems there is no elegant solution for the problem. Only way would be closing browser.

Is there someone with similar issue and better solution?

On Jboss site there is FAQ on:
http://www.jboss.org/community/docs/DOC-12198

The questio is on kind of similar question (realted to basic autentication):

Q5: How do I logout of a web application?
A5: Invalidate the web session
Q6: How do I logout with basic auth, I did invalidate the session?

A6: It did logout, but then the browser automatically logged back in with saved/cached information. Your web browser needs to be restarted, or its password setting cleared.



I have tried to invalidate session, no success. After invalidating session I was redirecting to HTTP, with same - no result, user remained logged in.

Any hints?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're right that the browser will keep sending the certificate until the browser is shut down, just like with basic authentication.

If the application logic automatically starts a new session in the presence of a valid certificate, then there is no way to do this.
 
reply
    Bookmark Topic Watch Topic
  • New Topic