tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Luehe <Jan.Lu...@Sun.COM>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOn.java
Date Mon, 20 Sep 2004 18:02:52 GMT
Brian,

Brian Stansberry wrote:
> Jan,
> 
> At 06:18 PM 9/16/2004 +0000, you wrote:
> 
>> luehe       2004/09/16 11:18:41
>>
>>  Modified:    catalina/src/share/org/apache/catalina/authenticator
>>                        SingleSignOn.java
>>  Log:
>>  - Removed deregister(String ssoid), because it is no longer needed
>>    (used to be called when session was logged out, which is no longer
>>    supported)
>>
> 
> I'm not sure what you meant here by "no longer supported."  Do you mean 
> the cross-webapp signout feature that deregister(String ssoid) provided, 
> or has there been some more fundamental change in TC's handling of 
> HttpSession.invalidate()?

I was referring to the removal of javax.servlet.http.HttpSession.logout(),
which had been added temporarily to Servlet 2.4 and was later removed
before the spec went final. See this log entry in the history of
javax.servlet.http.HttpSession:

   revision 1.3
   date: 2003/04/07 21:27:36;  author: jfarcand;  state: Exp;  lines: +0
   -15
   As required by the upcoming Servlet spec 2.4 PFD 3, remove the
   logout() method.

This method was the only method that generated a SessionEvent of
type SESSION_DESTROYED_EVENT with event data equal to "logout", which
used to invalidate all remaining sessions (if any) associated with
the SingleSignOn entry.

> In either case, the SingleSignOn docs at 
> http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/host.html#Single%20Sign%20On 
> need to be updated, as they state:
> 
> "As soon as the user logs out of one web application (for example, by 
> invalidating or timing out the corresponding session if form based login 
> is used), the user's sessions in all web applications will be 
> invalidated. Any subsequent attempt to access a protected resource in 
> any application will require the user to authenticate himself or herself 
> again."
> 
> (Actually, that paragraph was incorrect even before this patch, since 
> the time out of a session would not cause other sessions to be 
> invalidated.)


Agreed. I'm going to remove this paragraph.


Jan



> Best,
> Brian Stansberry
> 
>>  - Replaced call to removeSession(String, Session) with
>>    deregister(String, Session), which is identical, and removed
>>    removeSession(String, Session) because it is no longer needed
>>
>>  Revision  Changes    Path
>>  1.18      +3 -92     
>> jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java

>>
>>
>>  Index: SingleSignOn.java
>>  ===================================================================
>>  RCS file: 
>> /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v

>>
>>  retrieving revision 1.17
>>  retrieving revision 1.18
>>  diff -u -r1.17 -r1.18
>>  --- SingleSignOn.java 29 Aug 2004 16:46:09 -0000      1.17
>>  +++ SingleSignOn.java 16 Sep 2004 18:18:41 -0000      1.18
>>  @@ -287,24 +287,10 @@
>>           synchronized (reverse) {
>>               ssoId = (String) reverse.get(session);
>>           }
>>  -        if (ssoId == null)
>>  +        if (ssoId == null) {
>>               return;
>>  -
>>  -        // Was the session destroyed as the result of a timeout?
>>  -        // If so, we'll just remove the expired session from the
>>  -        // SSO.  If the session was logged out, we'll log out
>>  -        // of all session associated with the SSO.
>>  -        if ((session.getMaxInactiveInterval() > 0)
>>  -            && (System.currentTimeMillis() - 
>> session.getLastAccessedTime() >=
>>  -                session.getMaxInactiveInterval() * 1000)) {
>>  -            removeSession(ssoId, session);
>>  -        } else {
>>  -            // The session was logged out.
>>  -            // Deregister this single session id, invalidating
>>  -            // associated sessions
>>  -            deregister(ssoId);
>>           }
>>  -
>>  +        deregister(ssoId, session);
>>       }
>>
>>
>>  @@ -468,46 +454,6 @@
>>
>>
>>       /**
>>  -     * Deregister the specified single sign on identifier, and 
>> invalidate
>>  -     * any associated sessions.
>>  -     *
>>  -     * @param ssoId Single sign on identifier to deregister
>>  -     */
>>  -    protected void deregister(String ssoId) {
>>  -
>>  -        if (container.getLogger().isDebugEnabled())
>>  -            container.getLogger().debug("Deregistering sso id '" + 
>> ssoId + "'");
>>  -
>>  -        // Look up and remove the corresponding SingleSignOnEntry
>>  -        SingleSignOnEntry sso = null;
>>  -        synchronized (cache) {
>>  -            sso = (SingleSignOnEntry) cache.remove(ssoId);
>>  -        }
>>  -
>>  -        if (sso == null)
>>  -            return;
>>  -
>>  -        // Expire any associated sessions
>>  -        Session sessions[] = sso.findSessions();
>>  -        for (int i = 0; i < sessions.length; i++) {
>>  -            if (container.getLogger().isTraceEnabled())
>>  -                container.getLogger().trace(" Invalidating session " 
>> + sessions[i]);
>>  -            // Remove from reverse cache first to avoid recursion
>>  -            synchronized (reverse) {
>>  -                reverse.remove(sessions[i]);
>>  -            }
>>  -            // Invalidate this session
>>  -            sessions[i].expire();
>>  -        }
>>  -
>>  -        // NOTE:  Clients may still possess the old single sign on 
>> cookie,
>>  -        // but it will be removed on the next request since it is no 
>> longer
>>  -        // in the cache
>>  -
>>  -    }
>>  -
>>  -
>>  -    /**
>>        * Attempts reauthentication to the given <code>Realm</code> using
>>        * the credentials associated with the single sign-on session
>>        * identified by argument <code>ssoId</code>.
>>  @@ -636,39 +582,4 @@
>>           }
>>
>>       }
>>  -
>>  -
>>  -    /**
>>  -     * Remove a single Session from a SingleSignOn.  Called when
>>  -     * a session is timed out and no longer active.
>>  -     *
>>  -     * @param ssoId Single sign on identifier from which to remove 
>> the session.
>>  -     * @param session the session to be removed.
>>  -     */
>>  -    protected void removeSession(String ssoId, Session session) {
>>  -
>>  -        if (container.getLogger().isDebugEnabled())
>>  -            container.getLogger().debug("Removing session " + 
>> session.toString() + " from sso id " +
>>  -                ssoId );
>>  -
>>  -        // Get a reference to the SingleSignOn
>>  -        SingleSignOnEntry entry = lookup(ssoId);
>>  -        if (entry == null)
>>  -            return;
>>  -
>>  -        // Remove the inactive session from SingleSignOnEntry
>>  -        entry.removeSession(session);
>>  -
>>  -        // Remove the inactive session from the 'reverse' Map.
>>  -        synchronized(reverse) {
>>  -            reverse.remove(session);
>>  -        }
>>  -
>>  -        // If there are not sessions left in the SingleSignOnEntry,
>>  -        // deregister the entry.
>>  -        if (entry.findSessions().length == 0) {
>>  -            deregister(ssoId);
>>  -        }
>>  -    }
>>  -
>>   }
>>
>>
>>
>>
> 
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message