I'll try to convince Remy (that might be tough though and might take some time, AFAIK Remy is off for vacation till August 16th) to enhance the SingleSignOn valve with optional logic, as a the described by me use case, I believe is a common scenario for those who use SSO. I'd be more than happy if anyone for whom my arguments seem reasonable could support my point of view. Remy pointed out, that the applications should be as isolated as possible while the SSO Valve in it current implementaion denied this. To be precise, to me, it would be much more appropriate and in the spirit of Remy's point of view if the logout action (session.invalidate() on one of the federeated sessions) removed an entry in the SSO cache only, leaving non-invalidated sessions untouched. Now, if another request arrived with the SSO id, the valve would do nothing as there's no such entry in the SSO cache, therefore user would heave to reauthenticate. Of course I might miss something.
I'll dig into Authenicator stuff and try your suggestion. cheers, /dd View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888794#3888794 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888794 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
