2 Replies Latest reply on Nov 18, 2005 12:04 PM by Mike Pastor

    Single SignOn session logoff behavior?

    Mike Pastor Newbie

      Hello,

      I've implemented the single sign option on 4.0.3SP1 using the Tomcat server.xml file. Using standard declarative J2EE security, I can now logon once to all of my WebApps running on the server.

      When I kill the http session (invalidate()) in one WebApp, all of the other logged in WebApp sessions are also killed. Can I rely on this behavior for a production application? Any advice would be greatly appreciated!

      Thanks,
      Mike Pastor

        • 1. Re: Single SignOn session logoff behavior?
          Brian Stansberry Master

          When a session is destroyed, the SingleSignOn valve receives a notification. It checks the destroyed session to see whether its maxInactiveInterval has been surpassed. If so, it assumes the session was destroyed due to timeout, and other sessions associated with the sso are not invalidated. If the maxInactiveInterval was not exceeded, it assumes the session was destroyed due to a deliberate call to session.invalidate(). In this case, the other sessions associated with the sso are also invalidated.

          There is a problem this approach, namely that if an app is undeployed, all its sessions are destroyed, probably before their maxInactiveInterval has passed. The sso valve will interpret this as a conscious invalidation and will terminate all associated sessions. So, undeploying a webapp will have the effect of terminating all sso sessions associated with the app. See http://jira.jboss.com/jira/browse/JBAS-2429.