1 2 Previous Next 19 Replies Latest reply on Mar 11, 2005 11:17 AM by julien1 Go to original post
      • 15. Re: not able to get request.getPortletSession().invalidate()
        julien1 Mar 11, 2005 8:50 AM (in response to janole)

        PortletSession.invalidate() does not invalidate the current user, it only invalides the session related to the portlet application. The spec defines that.

        req.getLogout() invalidates another session which is not the same and performs logout. The session invalidated in the one of the portal.

          • Actions
        • 16. Re: not able to get request.getPortletSession().invalidate()
          janole Mar 11, 2005 9:54 AM (in response to janole)


          The spec also defines:

          "If the HttpSession object is invalidated, the PortletSession object must also be invalidated
          by the portlet container.cxv If the PortletSession object is invalidated by a portlet, the
          portlet container must invalidate the associated HttpSession object."

          "The getCreationTime, getId, getLastAccessedTime, getMaxInactiveInterval,
          invalidate, isNew and setMaxInactiveInterval methods of the PortletSession
          interface must provide the same functionality as the methods of the HttpSession
          interface with identical names."

          So since HttpServletRequest.invalidate() invalidates the session and set remoteUser to null, I thougt the same would happen for PortletSession.invalidate()

          What you are saying is that the portlet session does not "own" the user. And that the portal itself has a http session, wich the user belongs to.

          If this is correct, how can I force a user logout from the portal in a portlet wich only implements JSR-168 standard classlib (and not the JBoss add-on classlib)?

            • Actions
          • 17. Re: not able to get request.getPortletSession().invalidate()
            julien1 Mar 11, 2005 10:27 AM (in response to janole)

            janole,

            yes the spec says that and it is what it does, but you misunderstand it.

            portletsession.invalidate() invalidates the http session of the portlet war file, not the session of the portal. there are 2 separate sessions.

            the portable way to do that is to bundle your portlet in the war file of the portal. in that case the 2 sessions will be the same.

            but at the end, invalidating the session does not garantee that the users logout. you have no garantee that invalidating a session performs logout but this is the case on jboss portal when "form" based authentication is used. it would not work with "basic" authentication. And that behavior could change in the future for jboss portal as well.

              • Actions
            • 18. Re: not able to get request.getPortletSession().invalidate()
              janole Mar 11, 2005 11:10 AM (in response to janole)

              Yeap, the portal handles http sessions different than I thougt. I was not aware of that there were different http sessions.

              Personally I prefer "form" based authentication (the way it is in beta 1).
              With "basic" authentication, as you say, you can't "log out" by invalidating the session.

              regards
              Jan Ole

                • Actions
              • 19. Re: not able to get request.getPortletSession().invalidate()
                julien1 Mar 11, 2005 11:17 AM (in response to janole)

                this is configurable in web.xml of the portal, you can use whatever you want (basic,form,etc...)

                the reason we added the logout is to make smth that works without making any hypothesis on the underlying invalidation mechanism.

                  • Actions
                1 2 Previous Next