On 13/10/11 15:14, Brian Burch wrote:
On 13/10/11 11:39, Brian Burch wrote:
To summarise: the webapp's explicit timeout is not being honoured
because its web.xml does not define a <login-config> section. Therefore,
the webapp has defaulted to use the NonLoginAuthenticator - which
honours the existing SSO state (via the client cookie), but does not
associate the Session for the second webapp with the existing SSOEvent
instance.
Before I make this change, I want to satisfy myself that the
NonLoginAuthenticator.authenticate method is working properly according
to the specification.
How about this comment taken from NonLoginAuthenticator.authenticate()!
I hadn't noticed it when running my debugger because all comments are
greyed-out and I was concentrating on the executable code.
/* Associating this request's session with an SSO would allow
coordinated session invalidation, but should the session for
a webapp that the user didn't log into be invalidated when
another session is logged out?
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId != null)
associate(ssoId, getSession(request, true));
*/
I looked at the tomcat6 repository and this code has been commented out
as far back as 6.0.0. I tried looking at tomcat5, but the repository
layout is different and I couldn't even find the source for the class,
even though it must be there. I didn't try too hard, because it is
tomcat6 I am interested in - not a history lesson.
The comment above the no-op'd code doesn't make a lot of sense to me, so
I will go quiet for a few days while I checkout 6.0.28 and get it to
build. Once I can do that, I'll uncomment the "interesting" logic, build
it again. I can drop the new jar into my own tomcat server and follow
its behaviour under my debugger.
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
