Version 4

    Session Invalidation in JBoss Portal



    Portal vs Portlet Session


    Invalidating the portal session will not invalidate the different portlet sessions. The main reason is that those are two different sessions.


    However we do know that it may be a potential security issue and we have a mechanism in place that on sign out will trigger the invalidation of all the portlet sessions that the user has used during its session.


    Alternatively you could invalidate that specific portlet session. You need tomake a request dispatch to the target war file containing your portlet and invalidate the session in a special servlet, pretty much like :


    in the code located in the portal (your servlet filter) :


       RequestDispatcher rd = servletContext.getContext("/myapp").getRequestDispatcher("MyServlet");   rd.include(req, resp);


    where myapp is the context name of the web application containing the special servlet. (Please beware the value "/myapp" could be "myapp" without the "/" in front of it. I am not very sure of it)


    then you need a servlet which will only do :


    service(Req, Resp) 


    and declare it as MyServlet in your web.xml



    Signout Command


    In JBoss Portal 2.6 you can use the SignOut command to invalidate the Session (which is the default behavior when you click on the LogOut link)! The SignOut command essentially destroys all the sessions of the various portlet web applications visited by the user.


    If you write a JBoss Portlet, you can call the signOut() method on a actionResponse object to call the SignOut Command.


    myLogout(JBossActionRequest req, JBossActionResponse resp)



    Portal Environment Session Diagnosis


    Most often we run into a point where our session data is not getting invalidated. In those cases, please use the following guidelines to check what is happening behind our backs!


    You are dealing with at least 3 different sessions when you are using JBoss Portal with JBossAS:

    • your webapp session

    • the portal's webapp session

    • the portlet's webapp session


    To check if the sessions are invalidated add a SessionListener in the 3 webapps.


    Write a class like the following:


    import javax.servlet.http.HttpSessionEvent;
    import javax.servlet.http.HttpSessionListener;
    public class MySessionListener implements HttpSessionListener {
       public void sessionCreated(HttpSessionEvent se) {
          System.out.println("Portal [CHANGEME FOR OTHER WEBAPPS] Session created");
       public void sessionDestroyed(HttpSessionEvent se) {
          System.out.println("Portal [CHANGEME FOR OTHER WEBAPPS] Session destroyed");


    put it in WEB-INF/classes and add in the web.xml:



    Do it for all the 3 webapps. It will help you diagnose the problem!