0

I really want to know the usage of realm. http://en.wikipedia.org/wiki/Basic_access_authentication said

Existing browsers retain authentication information until the tab or browser is closed or the user clears the history.[1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser or using sessions in the URL.

in my coding 

res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");

So the site requests authentication based on realm. Once it requests, username and password is saved in somewhere, and until the browser cache or browsing history is removed, this information is saved.

My question is Is there a way to clear such credential in server using servlet? Any help is greatly appreciated!!!

Ref: What is the exact uses of REALM term in security?

Community
  • 1
  • 1
swemon
  • 5,840
  • 4
  • 32
  • 54
  • Browser cache cannot be cleared using server-side/client-side code as that would be a huge security breach. – Vikdor Oct 03 '12 at 11:49

2 Answers2

1

The server won't ever have such level of control over browsers. The only safe way to deal with account details leakage is to promptly invalidate or lock the account and expiring all the user sessions tied to it. A web server is able to accomplish all such operations.

From the spec:

   The realm attribute (case-insensitive) is required for all
   authentication schemes which issue a challenge. The realm value
   (case-sensitive), in combination with the canonical root URL of the
   server being accessed, defines the protection space

It basically means that once you successfully authenticated once, the browser can safely assume that all resources under the same root URL will be accessible using the same credentials. There's no standard way to set a client timeout on HTTP Basic credentials.

Community
  • 1
  • 1
skuro
  • 13,414
  • 1
  • 48
  • 67
1

You probably want to have a look at this anwer: How to force Jetty to ask for credentials with BASIC authentication after invalidating the session?

Basic authentication seems useless to me.

You want to switch to Form authentication if you can.

Community
  • 1
  • 1
Adriano
  • 19,463
  • 19
  • 103
  • 140