authenti cator SingleSignOn.java

Brian Stansberry Sun, 19 Sep 2004 00:45:23 -0700

Jan,

At 06:18 PM 9/16/2004 +0000, you wrote:

luehe       2004/09/16 11:18:41

 Modified:    catalina/src/share/org/apache/catalina/authenticator
                       SingleSignOn.java
 Log:
 - Removed deregister(String ssoid), because it is no longer needed
   (used to be called when session was logged out, which is no longer
   supported)

I'm not sure what you meant here by "no longer supported." Do you mean the cross-webapp signout feature that deregister(String ssoid) provided, or has there been some more fundamental change in TC's handling of HttpSession.invalidate()?

In either case, the SingleSignOn docs at http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/host.html#Single%20Sign%20On need to be updated, as they state:

"As soon as the user logs out of one web application (for example, by invalidating or timing out the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again."

(Actually, that paragraph was incorrect even before this patch, since the time out of a session would not cause other sessions to be invalidated.)

Best,
Brian Stansberry

 - Replaced call to removeSession(String, Session) with
   deregister(String, Session), which is identical, and removed
   removeSession(String, Session) because it is no longer needed
Revision Changes Path 1.18 +3 -92 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java

Index: SingleSignOn.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- SingleSignOn.java 29 Aug 2004 16:46:09 -0000 1.17 +++ SingleSignOn.java 16 Sep 2004 18:18:41 -0000 1.18 @@ -287,24 +287,10 @@ synchronized (reverse) { ssoId = (String) reverse.get(session); } - if (ssoId == null) + if (ssoId == null) { return; - - // Was the session destroyed as the result of a timeout? - // If so, we'll just remove the expired session from the - // SSO. If the session was logged out, we'll log out - // of all session associated with the SSO. - if ((session.getMaxInactiveInterval() > 0) - && (System.currentTimeMillis() - session.getLastAccessedTime() >= - session.getMaxInactiveInterval() * 1000)) { - removeSession(ssoId, session); - } else { - // The session was logged out. - // Deregister this single session id, invalidating - // associated sessions - deregister(ssoId); } - + deregister(ssoId, session); }
 @@ -468,46 +454,6 @@
/** - * Deregister the specified single sign on identifier, and invalidate - * any associated sessions. - * - * @param ssoId Single sign on identifier to deregister - */ - protected void deregister(String ssoId) { - - if (container.getLogger().isDebugEnabled()) - container.getLogger().debug("Deregistering sso id '" + ssoId + "'"); - - // Look up and remove the corresponding SingleSignOnEntry - SingleSignOnEntry sso = null; - synchronized (cache) { - sso = (SingleSignOnEntry) cache.remove(ssoId); - } - - if (sso == null) - return; - - // Expire any associated sessions - Session sessions[] = sso.findSessions(); - for (int i = 0; i < sessions.length; i++) { - if (container.getLogger().isTraceEnabled()) - container.getLogger().trace(" Invalidating session " + sessions[i]); - // Remove from reverse cache first to avoid recursion - synchronized (reverse) { - reverse.remove(sessions[i]); - } - // Invalidate this session - sessions[i].expire(); - } - - // NOTE: Clients may still possess the old single sign on cookie, - // but it will be removed on the next request since it is no longer - // in the cache - - } - - - /** * Attempts reauthentication to the given <code>Realm</code> using * the credentials associated with the single sign-on session * identified by argument <code>ssoId</code>. @@ -636,39 +582,4 @@ }

} - - - /** - * Remove a single Session from a SingleSignOn. Called when - * a session is timed out and no longer active. - * - * @param ssoId Single sign on identifier from which to remove the session. - * @param session the session to be removed. - */ - protected void removeSession(String ssoId, Session session) { - - if (container.getLogger().isDebugEnabled()) - container.getLogger().debug("Removing session " + session.toString() + " from sso id " + - ssoId ); - - // Get a reference to the SingleSignOn - SingleSignOnEntry entry = lookup(ssoId); - if (entry == null) - return; - - // Remove the inactive session from SingleSignOnEntry - entry.removeSession(session); - - // Remove the inactive session from the 'reverse' Map. - synchronized(reverse) { - reverse.remove(session); - } - - // If there are not sessions left in the SingleSignOnEntry, - // deregister the entry. - if (entry.findSessions().length == 0) { - deregister(ssoId); - } - } - }

_________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOn.java

Reply via email to