[jboss-user] [Security & JAAS/JBoss] - Re: The neverending logout topic
Vellmont
do-not-reply at jboss.com
Tue Apr 24 11:19:25 EDT 2007
I think I've found the root of my problem. Basic Authentication.
Not many references talk about it, but it would appear that one of the major architectural differences between basic, and form based authentication is that basic authentication has no concept of a logged in user. The browser sends the credentials every time you access a protected page.
It's essentially impossible to "logout" a user from a website using basic authentication because they aren't logged in. The only way to make a webpage inaccessible to a user with a site using basic authentication is to get their browser to throw away the credentials. That means restarting the browser, or clearing out cookies.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4040221#4040221
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4040221
More information about the jboss-user
mailing list