1 Reply Latest reply on Jun 18, 2008 5:16 PM by Guillaume Jeudy

    Single Sign On and logout

    Srinivas Chamarthi Newbie


      I am using JOSSO for single sign for my applications. Two applications are struts based and the one I am developing is seam based application.

      I had to remove seam based security from application and authenticating based on SSO-sessionId and keeping loggedInUser  in session in authenticator.authenticate

      when I logout, I want to remove session based data in the application. I am using the following code. Could anybody tell me if I am doing the things right ? appreciate your help in advance.

      code to authenticate the user

        public String authenticate()
              //look for SSO Session Id
              HttpServletRequest request = (HttpServletRequest) facesContext.getExternalContext().getRequest();
              SSOUser ssoUser = (SSOUser)request.getUserPrincipal();
              String ssoSessionId = (String)request.getAttribute("org.josso.agent.ssoSessionid");
              if (ssoSessionId !=null && ssoUser !=null) 
                   try {
                        User user = (User)em.createQuery("select u from User u where u.userName='"+ssoUser.getName() +"'")
                        if (user != null) {
                                  log.info("user #0 found in context",user.getUserName());
                                  return "";
                   }catch(javax.persistence.NoResultException nre) {
                        facesMessages.add("Invalid login information. Please try again");
                        return "login";
              return "login";

      logging out the user

         public String logout() {
              // why this is always printed as true ??  System.out.println(Contexts.isSessionContextActive());
              return "logout";

        • 1. Re: Single Sign On and logout
          Guillaume Jeudy Master

          Why are you not leveraging Seam security ? You just need to implement a custom authenticate method that runs your custom authentication routine. If you dont do so you lose alot of useful features as described here: Seam security

          Here's a guideline for Windows SSO with Seam security integration
          Windows SSO With Seam

          It is very similar to what you are trying to accomplish, just ignore the NTLM auth code and replace this with your JOSSO specific auth code. NTLM auth and JOSSO auth fulfill the same goal anyways.