DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40775>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40775 Summary: Single-sign on session invalidation not working as expected Product: Tomcat 5 Version: 5.5.17 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Unknown AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] After enabling the single sign-on valve, I noticed unexpected logout behavior. Here are steps to reproduce: 1. Using form auth, log into webapp1 (by attempting to access a protected resource that does not exist) 2. Attempt to access a protected resource in webapp2 is granted (meaning you are logged into 2 by logging into 1 as we expect). 3. Invalidating the session from webapp2 does not log you out. It appears that you are able to sign-on and be authorized by other webapps without accessing an existing protected resource but you will not be able to logout from those webapps. I can provide simple sample webapps to demonstrate this behavior. This was discovered in an embedded Tomcat in JBoss and they explained the issue as following: "What you're seeing is due to a subtlety in your test combining with a subtlety in how Tomcat SSO invalidation works. The reason you can invalidate an SSO and not just a single session by calling session.invalidate() is because Tomcat provides a reference to the session to the SSO valve. The valve registers as a listener on the session and thus gets a callback when you call session.invalidate(). It then uses that callback to invalidate the SSO. The problem is the way Tomcat provides the reference to the session to the SSO valve. This only happens if you access a protected resource. If you look at the steps in your test, you'll notice you never access a protected resource in testapp2. Thus the SSO valve doesn't know about your testapp2 session. When you invalidate the session, the SSO doesn't get invalidated. " I expect that if you are considered logged into a webapp you should also be able to log out from that same web app. Please let me know your thoughts. Thanks Mark -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
