We found a solution to our problem:
We implemented an HttpSessionListener whose sessionCreated(HttpSessionEvent
se) method fires when the JSESSIONID session is created and we additionally
call subject.getSession() to retrieve the Shiro session 'SSOcookie'. Then we
save both to an @ApplicationScoped map and on logout we lookup the Shiro
session in the @ApplicationScoped map and invalidate the JSESSIONID
previously saved along with it.
@WebListener
public class MyClass implements HttpSessionListener {
...
public void sessionCreated(HttpSessionEvent se) {
HTTPSession jsession = se.getSession();
HTTPSession shiro = subject.getSession();
// save both sessions someplace so we can invalidate them on logout
....
}
...
}
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656p7580665.html
Sent from the Shiro User mailing list archive at Nabble.com.
