tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Stansberry" <b_stansbe...@hotmail.com>
Subject RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOn.java
Date Sun, 19 Sep 2004 07:44:55 GMT
Jan,

At 06:18 PM 9/16/2004 +0000, you wrote:
>luehe       2004/09/16 11:18:41
>
>  Modified:    catalina/src/share/org/apache/catalina/authenticator
>                        SingleSignOn.java
>  Log:
>  - Removed deregister(String ssoid), because it is no longer needed
>    (used to be called when session was logged out, which is no longer
>    supported)
>

I'm not sure what you meant here by "no longer supported."  Do you mean the 
cross-webapp signout feature that deregister(String ssoid) provided, or has 
there been some more fundamental change in TC's handling of 
HttpSession.invalidate()?

In either case, the SingleSignOn docs at 
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/host.html#Single%20Sign%20On 
need to be updated, as they state:

"As soon as the user logs out of one web application (for example, by 
invalidating or timing out the corresponding session if form based login is 
used), the user's sessions in all web applications will be invalidated. Any 
subsequent attempt to access a protected resource in any application will 
require the user to authenticate himself or herself again."

(Actually, that paragraph was incorrect even before this patch, since the 
time out of a session would not cause other sessions to be invalidated.)

Best,
Brian Stansberry

>  - Replaced call to removeSession(String, Session) with
>    deregister(String, Session), which is identical, and removed
>    removeSession(String, Session) because it is no longer needed
>
>  Revision  Changes    Path
>  1.18      +3 -92     
>jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java
>
>  Index: SingleSignOn.java
>  ===================================================================
>  RCS file: 
>/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v
>  retrieving revision 1.17
>  retrieving revision 1.18
>  diff -u -r1.17 -r1.18
>  --- SingleSignOn.java 29 Aug 2004 16:46:09 -0000      1.17
>  +++ SingleSignOn.java 16 Sep 2004 18:18:41 -0000      1.18
>  @@ -287,24 +287,10 @@
>           synchronized (reverse) {
>               ssoId = (String) reverse.get(session);
>           }
>  -        if (ssoId == null)
>  +        if (ssoId == null) {
>               return;
>  -
>  -        // Was the session destroyed as the result of a timeout?
>  -        // If so, we'll just remove the expired session from the
>  -        // SSO.  If the session was logged out, we'll log out
>  -        // of all session associated with the SSO.
>  -        if ((session.getMaxInactiveInterval() > 0)
>  -            && (System.currentTimeMillis() - 
>session.getLastAccessedTime() >=
>  -                session.getMaxInactiveInterval() * 1000)) {
>  -            removeSession(ssoId, session);
>  -        } else {
>  -            // The session was logged out.
>  -            // Deregister this single session id, invalidating
>  -            // associated sessions
>  -            deregister(ssoId);
>           }
>  -
>  +        deregister(ssoId, session);
>       }
>
>
>  @@ -468,46 +454,6 @@
>
>
>       /**
>  -     * Deregister the specified single sign on identifier, and 
>invalidate
>  -     * any associated sessions.
>  -     *
>  -     * @param ssoId Single sign on identifier to deregister
>  -     */
>  -    protected void deregister(String ssoId) {
>  -
>  -        if (container.getLogger().isDebugEnabled())
>  -            container.getLogger().debug("Deregistering sso id '" + ssoId 
>+ "'");
>  -
>  -        // Look up and remove the corresponding SingleSignOnEntry
>  -        SingleSignOnEntry sso = null;
>  -        synchronized (cache) {
>  -            sso = (SingleSignOnEntry) cache.remove(ssoId);
>  -        }
>  -
>  -        if (sso == null)
>  -            return;
>  -
>  -        // Expire any associated sessions
>  -        Session sessions[] = sso.findSessions();
>  -        for (int i = 0; i < sessions.length; i++) {
>  -            if (container.getLogger().isTraceEnabled())
>  -                container.getLogger().trace(" Invalidating session " + 
>sessions[i]);
>  -            // Remove from reverse cache first to avoid recursion
>  -            synchronized (reverse) {
>  -                reverse.remove(sessions[i]);
>  -            }
>  -            // Invalidate this session
>  -            sessions[i].expire();
>  -        }
>  -
>  -        // NOTE:  Clients may still possess the old single sign on 
>cookie,
>  -        // but it will be removed on the next request since it is no 
>longer
>  -        // in the cache
>  -
>  -    }
>  -
>  -
>  -    /**
>        * Attempts reauthentication to the given <code>Realm</code> using
>        * the credentials associated with the single sign-on session
>        * identified by argument <code>ssoId</code>.
>  @@ -636,39 +582,4 @@
>           }
>
>       }
>  -
>  -
>  -    /**
>  -     * Remove a single Session from a SingleSignOn.  Called when
>  -     * a session is timed out and no longer active.
>  -     *
>  -     * @param ssoId Single sign on identifier from which to remove the 
>session.
>  -     * @param session the session to be removed.
>  -     */
>  -    protected void removeSession(String ssoId, Session session) {
>  -
>  -        if (container.getLogger().isDebugEnabled())
>  -            container.getLogger().debug("Removing session " + 
>session.toString() + " from sso id " +
>  -                ssoId );
>  -
>  -        // Get a reference to the SingleSignOn
>  -        SingleSignOnEntry entry = lookup(ssoId);
>  -        if (entry == null)
>  -            return;
>  -
>  -        // Remove the inactive session from SingleSignOnEntry
>  -        entry.removeSession(session);
>  -
>  -        // Remove the inactive session from the 'reverse' Map.
>  -        synchronized(reverse) {
>  -            reverse.remove(session);
>  -        }
>  -
>  -        // If there are not sessions left in the SingleSignOnEntry,
>  -        // deregister the entry.
>  -        if (entry.findSessions().length == 0) {
>  -            deregister(ssoId);
>  -        }
>  -    }
>  -
>   }
>
>
>
>

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message