Problem 1
When a user attempt to gain access to restricted files he / she does not have a role for, a HTTP-403 is given back to the user.
When than trying to re-login using the same link (BASIC authentication) to type different credentials, the failed login attempt is remembered and goes directly to an HTTP-403, without asking for username / password.
Problem 2
When a user succesfully login and get his / her session terminated, click the login button again they arent asked to type in their login credentials because their previous login "session" is remembered.
To try and fix this behavior i have tried different solutions ALL without luck
Solution 1
Call the .invalidate()
method on the request.getSession(false)
object
Solution 2
Disable browser cache through a filter for all *.jsp pages on requests
httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1
httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0
httpResponse.setDateHeader("Expires", 0); // Proxies
Which i found here
Add an Expires or a Cache-Control header in JSP
How to control web page caching, across all browsers?
Solution 3
Disabling Tomcat 8 cache in /META-INF/context.xml
antiJARLocking="true"
antiResourceLocking="true"
cachingAllowed="false"
cacheMaxSize ="0"
cacheTTL="1"
reloadable="false"
Found here
how to disable tomcat caching?
Undeploy, redeploy project and restart Tomcat.
For everything i have tried i have disabled browser cache such as solution 2, cleared my test browser before login test and tried private browser windows.
Redirect back to login at error
When i get the HTTP-403 error i call a servlet through web.xml that send the user back to the frontpage (where the login link is)
<error-page>
<error-code>403</error-code>
<location>/Http403</location>
</error-page>
Through a response.sendRedirect(url)
instead of a forward, as to force the browser to make a 'fresh' HTTP-GET for the frontpage / welcomepage. I read somewhere that this was the way to do it but not 100% if this is has any advantage or not, if someone knows please let me know.
Found the problem
From Basic Authentication : Is it possible to setRemoteUser like getRemoteUser()
The BASIC authentication is a completely different thing. It shows a bare JavaScript look-a-like dialog with username/password inputs. It stores the authentication information on the client side which get sent as a request header on every single subsequent request