Thanks but that didn't work for me I've got
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="C:\keystore.jks" keystorePass="tomcat" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/> in my server.xml And I've created a SessionTrackingModeListener (just like manual) and modified web.xml with this listener And now I finish SSL Session with session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager mgr =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr"); mgr.invalidateSession(); response.setHeader("Connection", "close"); ServletContext context = this.getServletContext().getContext("/app"); if (context != null) response.sendRedirect(context.getContextPath() + "/protected.html" ); I hoped that login.html was return but protected.html is I dont find any doc about realm + SSL what 's wrong ? Thanks and regards 2011/9/7 Mark Thomas <ma...@apache.org>: > On 07/09/2011 12:20, Chema wrote: >> Hello: >> >> I've got a web application running on Tomcat 7.0.16 >> It uses realm authentication to validate users ( FORM login method >> with a custom login page named login.html) >> and it's secured by SSL with >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>ssl</web-resource-name> >> <url-pattern>/*</url-pattern> >> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> So, if I write https://localhost:8080/protected.html, Tomcat redirect >> to my login.html page to authenticate the user, >> and , if it's valid, returns main.html. >> All fine >> >> >> The web application has got a service to implement a logout with 2 steps: >> >> - session.invalidate() >> - redirect to protected.html >> >> >> Well, when I invoked last service, I hoped that when redirecting to >> protected.html, as I invalidated session before and protected.html is >> a protected resource, Tomcat redirected my browser to login.html. >> But didn't : protected.html was returned. >> >> If I repeat this steps without SSL configuration , Tomcat does >> (redirects my browser to login.html) >> >> >> What I need to finish a SSL session and realm mechanism knows it ? > > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org