Logout from web app using tomcat Basic authentication

You're using HTTP BASIC authentication instead of HTTP FORM authentication with j_security_check. The BASIC authentication is done by Authorization request header from the browser side, which is session independent.

To force a "logout" on BASIC authentication, the server basically needs to return a 401 response.

FacesContext facesContext = FacesContext.getCurrentInstance();ExternalContext externalContext = facesContext.getExternalContext();externalContext.invalidateSession();externalContext.responseSendError(401, "You are logged out.");facesContext.responseComplete();

This will present a HTTP 401 error page which is customizable as <error-page> in web.xml.

You can instead also return a HTML page with meta refresh so that the enduser is redirected to the desired target page as specified in the meta refresh header content.

FacesContext facesContext = FacesContext.getCurrentInstance();ExternalContext externalContext = facesContext.getExternalContext();externalContext.invalidateSession();externalContext.setResponseStatus(401);externalContext.getResponseOutputWriter().write("<html><head><meta http-equiv='refresh' content='0;add_international_job.faces'></head></html>");facesContext.responseComplete();

This seems indeed pretty low level and hacky, but the BASIC authentication is also pretty low level. This isn't necessary when using FORM authentication. Just invalidating the session and sending a normal redirect should work for FORM authentication.

This is something completely different. You are using BASIC authentication to validate a user. This prompts the browser for a username and password on the first request. From then on the browser will automatically send the username and password on all subsequent requests to the same server, so your web based authentication just relogs them back in. The session IS invalidated, and anything you put in it will be gone, but you cannot get the server to reprompt the user for a name and password. It will keep sending the same username and password to the same host until you close the browser. This is a drawback to BASIC authentication.

I generally use my own authentication because it allows more freedom, however you are responsible for making sure all your resources are protected. An easy way to do this is to use Struts and override the action servlets perform method to do authentication. You create your own login page instead of having the browser put up a login dialog. You check to make sure someone is logged in by saving a variable to their session and checking that var when they make requests. If the var is set, they are ok. If not, you redirect them to the login page. invalidating the session logs someone out.

public void logout() throws IOException {    HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();    try {        request.logout();    } catch (ServletException ex) {        throw new IOException(ex);    }}