geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Geronimo 1.1.1, JaasLoginService, logout
Date Mon, 18 Feb 2008 22:30:29 GMT
My Geronimo instance exposes several servlets that provide processing of requests.  I've implemented
a custom LoginModule, and my geronimo-application.xml is configured to require presentation
of credentials in order to access the servlets.  All of this seems ok.

Some of the clients of my services do not process the JSESSIONID in the service response.
 So each request from one of these causes a new JaasSecuritySession to be created, and stored
in the "activeLogins" member Map of JaasLoginService.

My observation in running JProfiler 4.1.3 is that my LoginModule instances are not being cleaned
up, due to each being held as a member of a child object of JaasSecuritySession.

It is not clear how I can cause the "activeLogins" map to be cleaned up.  I can see that there
is an instance of ExpirationMonitor running periodically.  However, I do not want to change
DEFAULT_MAX_LOGIN_DURATION (one day), as this is a container-wide setting.

One idea I had was to manually expire the session at the end of the servlet invocation.  HttpSession.invalidate()
seems to expire the Tomcat session, but not the security session.

Any suggestions for cleaning up these security sessions would be appreciated.

View raw message