Implementing correctly security in WebLogic can be a daunting task. So many caveats and dodgy behaviors and not all is CLEARLY documented.
Suppose I have protested all my JSP with this clause in web.xml:
and the role "admin" is defined in a weblogic.xml:
To logout, you can provide this JSP code:
Without the "invalidateAll(...)", it will not work. Apparently the session information is still kept on the server, and the session will be immediately resumed without asking you to authenticate again. Frustrating. Documentation on this topic is a bit confusing. Howeve
Suppose I have protested all my JSP with this clause in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPages</web-resource-name>
<description>
These pages are only accessible by authorized
administrators.
</description>
<url-pattern>/*.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
These are the roles who have access.
</description>
<role-name>
admin
</role-name>
</auth-constraint>
<user-data-constraint>
<description>
This is how the user data must be transmitted.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<error-page>
and the role "admin" is defined in a weblogic.xml:
At this point all your JSP require that you are authenticated.
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>Administrators</principal-name>
<principal-name>Monitors</principal-name>
<principal-name>Deployers</principal-name>
</security-role-assignment>
To logout, you can provide this JSP code:
<%
session.removeAttribute("User");
session.invalidate();
weblogic.servlet.security.ServletAuthentication.invalidateAll(request);
%>
Without the "invalidateAll(...)", it will not work. Apparently the session information is still kept on the server, and the session will be immediately resumed without asking you to authenticate again. Frustrating. Documentation on this topic is a bit confusing. Howeve