Logout from web app using tomcat Basic authentication

Question

I am using tomcat basic authentication for my web app:

I added following lines to web.xml in my web app:

Answer 1

This is something completely different. You are using BASIC authentication to validate a user. This prompts the browser for a username and password on the first request. From then on the browser will automatically send the username and password on all subsequent requests to the same server, so your web based authentication just relogs them back in. The session IS invalidated, and anything you put in it will be gone, but you cannot get the server to reprompt the user for a name and password. It will keep sending the same username and password to the same host until you close the browser. This is a drawback to BASIC authentication.

I generally use my own authentication because it allows more freedom, however you are responsible for making sure all your resources are protected. An easy way to do this is to use Struts and override the action servlets perform method to do authentication. You create your own login page instead of having the browser put up a login dialog. You check to make sure someone is logged in by saving a variable to their session and checking that var when they make requests. If the var is set, they are ok. If not, you redirect them to the login page. invalidating the session logs someone out.