JAAS logout example

31 August 2013
By Gonçalo Marques
In this tutorial we will see how to logout users authenticated via JAAS.


Following the first couple of articles related with JAAS, some readers requested a new article about the JAAS logout process.

This article will show how to logout users authenticated via JAAS and will be based in the following previous articles:

JAAS authentication in Tomcat example

JAAS form based authentication in Tomcat example

The following software and environment was considered:

  1. Ubuntu 12.04
  2. JDK
  3. Tomcat 7.0.35

The secure page

Once again this tutorial is based on a couple of previous tutorials as stated in the Introduction. If you are not familiar with the concepts that will be described next you should go first through those previous tutorials.

We will change the secure page used in JAAS form based authentication in Tomcat example article to include a logout link:

Secure page

<?xml version="1.0" encoding="UTF-8" ?>
<%@ page language="java" 
  contentType="text/html; charset=UTF-8"
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" 
  content="text/html; charset=UTF-8" />
String username = request.getRemoteUser();
<span>Hello <%= username %>. This is a secure resource</span>
<br />
<a href="${pageContext.request.contextPath}/logout">Logout</a>

With this modification we will now notice a logout link when we access the secure page:

Secure page showing logout link
JAAS logout link

As we can see in the secure page source code the logout URL will be in this case:


Now we just need to handle the logout request. We will write a simple servlet for this purpose.

The logout Servlet

The logout servlet we just mentioned in the previous section may look like the following:

The logout Servlet

package com.byteslounge.jaas;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(name = "logoutServlet", urlPatterns = {"/logout"})
public class LogoutServlet extends HttpServlet {

  private static final long serialVersionUID = 1L;
  protected void doGet(HttpServletRequest request,
    HttpServletResponse response) 
      throws ServletException, IOException {
    // Invalidate current HTTP session.
    // Will call JAAS LoginModule logout() method
    // Redirect the user to the secure web page.
    // Since the user is now logged out the
    // authentication form will be shown
      + "/admin/admin.jsp");


We are just calling the standard HTTP session invalidation: HttpSession.invalidate()

As soon as this method gets called the logout method from the JAAS LoginModule will be called.

Just to recall the logout method from the LoginModule we implemented in the previous articles - as stated in this article Introduction section:

logout method from LoginModule

public boolean logout() throws LoginException {
  return true;

Basically we remove the Principals we had previously assigned to the authenticated subject when he first logged in into the system.

Downloadable sample

The tutorial source code is available for download at the end of this page.

Download source code from this article

Download link: jaas-logout-example.zip

Related Articles


About the author
Gonçalo Marques is a Software Engineer with several years of experience in software development and architecture definition. During this period his main focus was delivering software solutions in banking, telecommunications and governmental areas. He created the Bytes Lounge website with one ultimate goal: share his knowledge with the software development community. His main area of expertise is Java and open source.

GitHub profile: https://github.com/gonmarques

He is also the author of the WiFi File Browser Android application: