-
1. Re: Is it necessary for the Seam IdentityImpl.logout() to invalidate the session?
Probably not, best way to find out though is to try it.
-
2. Re: Is it necessary for the Seam IdentityImpl.logout() to invalidate the session?
I wrote the following class (copied from the default implemention, but with the session.invalidate() commented out) which overrides the logout method.
public @Specializes class AltSecurityImpl extends IdentityImpl { @Inject BeanManager beanManager; @Override public void logout() { System.out.println("My Logout Invoked!"); if (isLoggedIn()) { PostLoggedOutEvent loggedOutEvent = new PostLoggedOutEvent(getUser()); beanManager.fireEvent(new PreLoggedOutEvent()); unAuthenticate(); // session.invalidate(); beanManager.fireEvent(loggedOutEvent); } } }Tested it and it seems to work with jboss-as 7.1.1 (but not with jboss-as 7.0.1 which I also tested upon)
However I don't feel very confident with my way of action. Is there a more elegant way of doing it?
Thank you,
John
-
3. Re: Is it necessary for the Seam IdentityImpl.logout() to invalidate the session?
Dear Jason,
The IdentityImpl.logout() implementation did not use to invalidate the session up until SEAMSECURITY-83 (actually it was you who implemented the "fix" ).
From the issue report and the forum reference I fail to understand the reason of why the session has to be invalidated after logout, but I am no expert.
Any advice would be very much appreciated.
Thanks again,
John
-
4. Re: Is it necessary for the Seam IdentityImpl.logout() to invalidate the session?
John, you may have a different usecase than most people which is just as valid. The common way we saw Security being used was for people to log into their site, perform some work and logout. They were looking for logout to be the same thing as ending their HttpSession. I think you happen to be one of the few (at least that I'm aware of anyway) that liked it the other way ) Using an alternative or specializing should we work for what you want to do.