tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40775] - Single-sign on session invalidation not working as expected
Date Mon, 12 Feb 2007 15:11:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40775>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40775


mark.oliveira@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |
            Version|5.5.17                      |5.5.20




------- Additional Comments From mark.oliveira@gmail.com  2007-02-12 07:11 -------
Hi,

We have recently upgraded to Tomcat 5.5.20 so I have revisited this bug and
noticed an error in my test case.  The following steps should be used to
reproduce this behavior:

1. Using form auth, log into webapp1 (by attempting to access a protected 
resource that does not exist)
2. Access a NONprotected resource in webapp2 (in my test I use a call to
request.getRemoteUser() in this resource to verify that I am logged in).
3. Invalidating the session from webapp2 does not log you out.

As you can see, webapp2 knows about the remoteUser and if you were to attempt to
access a protected resource access would be granted. Considering this behavior
it appears that you are in fact logged in to webapp2 by logging into webapp1 (as
expected).  The problem here is that if you are logged in then you should also
be able to log out, but this is not possible until you actually access a
protected resource.  I have verified that this behavior is present in 5.5.20 and
have provided test wars.  Please have a look.


Thanks,

Mark

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message