Thank you, Mark! On Tue, Jan 20, 2015 at 12:18 AM, Mark Thomas <ma...@apache.org> wrote: > On 16/01/2015 14:05, Leonid Rozenblyum wrote: >> Hello Mark. >> >> We do explicit forced expiration of http session in one of SSO enabled >> apps (Application1 : session.invalidate() ) >> and it didn't cause session expiration in other Apps >> >> (only workaround with adding security-constraint to other apps that I >> mentioned above helped). >> >> Tomcat version is 8.0.15. OS tested was both linux & windows >> >> Probably I need to prepare minimal test case since it looks like a bug, >> right? > > Yes to the possible bug. Thanks but no need at this point for the test > case. I'll take a look at what is going on. > > Mark > > >> >> >> On Fri, Jan 16, 2015 at 2:53 PM, Mark Thomas <ma...@apache.org> wrote: >>> On 15/01/2015 15:46, Leonid Rozenblyum wrote: >>>> Hello. >>>> >>>> I have > 2 web-applications which are running on the same host. >>>> The Valve SingleSignOn is enabled. >>>> >>>> Application1 has security-constraint and login-config elements in web.xml >>>> Application2, 3 etc has no such definitions >>>> >>>> Technically Application1 is acting as a security gate. All other >>>> applications are redirected to it if userPrincipal is not found. >>>> >>>> In this scenario Single Sign ON works fine - after authenticating in >>>> Application1, all other applications have correction userPrincipal. >>>> >>>> However Single Sign OFF doesn't work in this configuration. If I >>>> logout in App1, other sessions are not invalidated. >>>> >>>> How can this be overcomed? Is it a bug or works-as-intended? >>> >>> Explicit, forced expiration of the HTTP session in any SSO enabled web >>> application should destroy the SSO session and in turn trigger the >>> expiration of the HTTP session for every other SSO enabled web application. >>> >>> Session expiration due to timeout in an SSO enabled web application only >>> terminates the HTTP session for that web application. The SSO session is >>> unaffected (unless this was the last HTTP session associated with the >>> SSO session in which case the SSO session is removed). >>> >>> Mark >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org