Hi Thomas,
The reason you can't log off from the second app is that web apps can not talk to one another. Additionally, with the SingleSignOn feature when you leave a web app with out invalidating the session, it remains attached to the SingleSignOn session. The SingleSignOn session does not expire until all attached sessions are invalid.
One solution is to set a time-out on the log in web app's session to something like 30 seconds once you authenticate the user and are about to move to the second web app:
httpServletRequest.getSession().setMaxInactiveInterval(30);
Once in the second web-app you must create a session otherwise when the log in session expires you will lose the SingleSignOn and the user will have to reauthenticate. Now when you invalidate the second web-apps session the SingleSignOn will be scrubbed.
A better solution is web-sphere's extension to HttpSession,
invalidateAll() which causes all sessions attached to the authenticated
user to be invalidated. Sun suggested this in the original drafts for
the servlet API version 2.4, but it didn't make the final draft.
However, it is easy to implement in Tomcat. I haven't made the
modification to the clusters as I don't use them in my set-up, but the code changes are as follows:
-javax.servlet.http.HttpSession.java
add the line:public void invalidateAll();
-org.apache.catalina.Session.java
add the lines: public static final String INVALIDATE_ALL_SESSIONS =
"invalidateAllSessions";-org.apache.catalina.session.StandardSession.java
add the lines: public void invalidateAll()
{
fireSessionEvent(Session.INVALIDATE_ALL_SESSIONS, null);
}-org.apache.catalina.session.StandardSessionFacade.java
add the lines: public void invalidateAll()
{
this.session.invalidateAll();
}-org.apache.catalina.cluster.session.DeltaSession.java
add the lines: public void invalidateAll()
{
//not using clusters, but need to implement interface
}-org.apache.catalina.cluster.session.DeltaSessionFacade.java
add the lines: public void invalidateAll()
{
this.session.invalidateAll();
}-org.apache.catalina.cluster.session.ReplicatedSession.java
add the lines: public void invalidateAll()
{
//not using clusters, but need to implement interface
}-org.apache.catalina.authenticator.SingleSignOn.java
in the method sessionEvent(SessionEvent event) add the lines: // Catch our event to destroy the single session sign on session and
// all attached sessions
log("Session event fired. Event type: " + event.getType());
if (Session.INVALIDATE_ALL_SESSIONS.equals(event.getType()))
{
// Look up the single session id associated with this
// session (if any)
Session session = event.getSession();
if (debug >= 1)
{
log("Destroying SSO Session: " + session);
}
String ssoId = null;
synchronized (reverse)
{
ssoId = (String) reverse.get(session);
}
if (ssoId == null)
{
log("Nothing to deregister");
return;
}
deregister(ssoId);
log("Deregistered.");
}Hope this helps!
-Mike Fowler "I could be a genius if I just put my mind to it, and I, I could do anything, if only I could get 'round to it"
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
