2 Replies Latest reply on Nov 18, 2005 12:04 PM by mikepastor

    Single SignOn session logoff behavior?

    mikepastor
    mikepastor Nov 16, 2005 10:26 AM

      Hello,

      I've implemented the single sign option on 4.0.3SP1 using the Tomcat server.xml file. Using standard declarative J2EE security, I can now logon once to all of my WebApps running on the server.

      When I kill the http session (invalidate()) in one WebApp, all of the other logged in WebApp sessions are also killed. Can I rely on this behavior for a production application? Any advice would be greatly appreciated!

      Thanks,
      Mike Pastor

      • 2571 Views
      • Tags:
        • 1. Re: Single SignOn session logoff behavior?
          brian.stansberry
          brian.stansberry Nov 16, 2005 2:59 PM (in response to mikepastor)

          When a session is destroyed, the SingleSignOn valve receives a notification. It checks the destroyed session to see whether its maxInactiveInterval has been surpassed. If so, it assumes the session was destroyed due to timeout, and other sessions associated with the sso are not invalidated. If the maxInactiveInterval was not exceeded, it assumes the session was destroyed due to a deliberate call to session.invalidate(). In this case, the other sessions associated with the sso are also invalidated.

          There is a problem this approach, namely that if an app is undeployed, all its sessions are destroyed, probably before their maxInactiveInterval has passed. The sso valve will interpret this as a conscious invalidation and will terminate all associated sessions. So, undeploying a webapp will have the effect of terminating all sso sessions associated with the app. See http://jira.jboss.com/jira/browse/JBAS-2429.

            • Actions
          • 2. Re: Single SignOn session logoff behavior?
            mikepastor
            mikepastor Nov 18, 2005 12:04 PM (in response to mikepastor)

            Thanks Brian !

              • Actions