Announcement Announcement Module
No announcement yet.
Certificate and logout Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate and logout

    Hi all,
    I'm using Spring security to handle security in a web app. It uses X509 certificates ; the certificate is created by a card reader, when a card is inserted ; this is the scenario :
    - a user inserts a card in the reader
    - a certificate with the username is created, and installed in the browser
    - the user connects to the site and is authenticated
    - when the user finish the stuff, he gets back the card
    - the certificate is uninstalled from the browser ; the user is now considered disconnected from the system.

    The requests is sent to an Apache httpd server, which verifies the certificate, then forward the request to an application server.

    I manage to authenticate a user, but when the certificate is removed after the connection, the user is still authenticated. I want to automatically logout the user when the certificate doesn't exist anymore.

    How can I do that with Spring security ? Should I write some king of AutoLogoutFilter ? Another suggestion ?
    I could probably configure the Apache server to refuse the connection, but I'm not the owner...

    Thanks in advance.