https://bz.apache.org/bugzilla/show_bug.cgi?id=62048
--- Comment #14 from Christopher Schultz <ch...@christopherschultz.net> --- Hmm.... seems we've gone down a rathole. Michael-O is right: this is probably the wrong approach for the Manager in general, because there is no requirement that the Manager use HTTP Basic as the authentication mechanism... it's just pretty much assumed because that's what everybody actually does. :) There is no "logout" link in the manager, probably because (a) everyone always uses HTTP Basic auth and (b) nobody ever bothered to implement a "logout" for HTTP Basic. So.... what do we do here? What about adding a "logout" button/link to the UI and then, when it's clicked, figuring out what to do? For HTTP Basic/Digest, use the process that has mostly filled the comments here. For FORM authentication, just kill the user's session. For CLIENT-CERT... well, there is no meaningful "logout" you can perform that I know of cor CLIENT-CERT. So it's a simple switch on request.getAuthType(), right? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
