tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Questions on "Single Sign On"?
Date Tue, 20 Oct 2009 15:15:58 GMT
Hash: SHA1


On 10/20/2009 9:19 AM, Josh Gooding wrote:
> I am using a realm for this.  I decided that the best route to go on this is
> if a user is actively logged in and tries to log in again (while already
> authenticated) to invalidate the 'other' session and continue on, that way
> of the browser dies, they can still get in.  I have however not clue one on
> how to do this.  What is put in the session upon authentication that I could
> have my code look for to invalidate the "other" live session?

There is nothing put into the session to help you with this: your web
application will have to provide all of the marking and plumbing
required to fulfill this requirement.

A suggestion:

1. Modify your realm to place a token into the session to identify the
user. Also, register the session with a session registry you maintain
that tracks user -> session.

2. Implement an HttpSessionListener, where the sessionDestroyed method
   removes the session from your registry.

3. When a user tries to login, your realm can look up in this registry
   for any existing sessions and call invalidate() on them.

You can do this in a slightly less invasive way if you decide that the
request's Principal is sufficient for identification. You can write a
Filter that stores the requests's principal in the session (if they both
exist) and then write an HttpSessionListener that does the mapping. Any
time a session is created with an already-known principal, you kill the
previous one. Hmm.... there may be some timing problems with this
(because the session is created before you are able to stuff he
requests' Principal into it...). You may have to play around with this a

Good luck,
- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message