I'm having a problem where every client request on a web service
endpoint logs in (using WS-Security), does some processing that
completes quickly, but leaves their session active. I want to log them
out and kill their HttpSession at the end of the process. The problem is
that the session remains active afterwards - like a user who didn't
logout. And I don't know how to get access to the session from the
interceptor to manually invalidate it. I'm running on JBoss and using
the web-console to monitor sessions for my web app, so it's easy to see
that each new request creates one new session.
Note that I'm using Spring security.
One approach I tried was using an inInterceptor, I stored the session
like this (bad idea, I know):
HttpServletRequest res =
(HttpServletRequest)message.get("HTTP.REQUEST");
message.put("mysessionkey", res.getSession());
... and then I tried to get the session from the map in the
outInterceptor:
HttpSession s = (HttpSession)message.get("mysessionkey");
...but the map didn't contain my object. I guess it didn't carry over
from the "in" phase to the "out" phase.
This approach isn't pretty and I'm sure there's a better way to get to
the session.
Thanks,
Morgan
