From: j2ee_junkie <do-...@jb...> - 2006-02-25 15:43:49
|
Dear Gang, I recently solved this issue in my environment, so I though I would add my input. I belive the solution should be handled entirely by Tomcat modifications. Here is my reasoning. From what I read, the servlet spec only requires a servlet container to destroy the session as a means of logging a user out. However, consider the Tomcat Realm that uses JAAS based AA (which includes the JBossSecurityMgrRealm). In this case, just destroying the session is not enough. I would think a logout() must be called on LoginContext that authenticated session user at session destruction time. What I would suggest (since this is what I did to handle this)... 1.) modify the Authenticator interface a.) to be a SessionListener. b.) modify the authenticate method of any classes that implement Authenticator such that if user is authenticated by realm, add it self to the Session's listener list. c.) modify any classes that implement Authenticator with the sessionEvent(SessionEvent) method that will call realm.logout(Principal) if a Session.SESSION_DESTROYED_EVENT occurs. 2.) modify the Realm interface... a.) with a logout(Principal) method that can log Principal out of realm Thus any realm that would care to log user out (Such as our case) can call the LoginContext's logout() method. If I did not make myself clear, please let me know. Also, if I am way off base, tell me where to go. later, cgriffith b.) In my View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3926268#3926268 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3926268 |