I am using a JDBCRealm for user authentication with form-based authentication and Tomcat 4.0.3 (see config info below). I've also configured an HttpSessionListener that prints a message when a session is created or destroyed. A page called home.jsp is used as the default page.
When I access the URL of the app, I see a session created and I get the login form. I log in as, for example, user1. I then see the home.jsp page. I then log out by calling a Struts Action where I call session.invalidate(). Source shown below. I can see the session being destroyed. Now, if I log in as another user, say user2, I sometimes get in as user2 and sometimes get in as user1. I can tell the difference because the two users have different roles that govern what is printed on the home page. This is a real security problem because a user with fewer privileges (roles) can log on right after a user with more privileges and sometimes get logged in as the user with more privileges. Help would be greatly appreciated. Michael --- In server.xml ---------------------------------------------------- <!-- DCE Context --> <Context path="/dce" docBase="dce" debug="0" reloadable="true"> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="5" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/web_users?user=root" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_role" roleNameCol="role_name" /> </Context> --------------------------------------------------------------------- --- In web.xml --- <listener> <listener-class>com.arinc.dce.ProjectionLoader</listener-class> </listener> <welcome-file-list> <welcome-file>/home.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>dce</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>dce.user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>dce</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> --------------------------------------------------------------------- --- In LogoutAction.java --- // LogoutAction.java package com.arinc.dce.actions; import org.apache.struts.action.Action; import org.apache.struts.action.ActionMapping; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.ServletException; import javax.sql.DataSource; import java.sql.Connection; import java.sql.SQLException; import java.io.IOException; public class LogoutAction extends Action { public ActionForward perform(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { System.out.println("inside LogoutAction"); // Just invalidate the session and return the user to the home page request.getSession().invalidate(); ActionForward f = mapping.findForward("thanks"); System.out.println("got ActionForward " + f); return f; } } --------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>