To save some time to other maybe interested ... I run into this
unexpected and odd behaviour:
1) Tomcat 5, SSO enabled (usual <Valve
className="org.apache.catalina.authenticator.SingleSignOn">)
2) Two Jspwiki instances (2.8.1), where everything should be accessible
only to authenticated users
Log into wiki1, ok
Go to wiki2, SSO works, automatically authenticated
Logout from wiki2, nothing happens.
Tx to google, got to
http://osdir.com/ml/java.jspwiki.user/2006-11/msg00172.html, and tx to
Andrew Jaquith wro wrote the post, some light.
But also some more doubt. It turns out that in wiki2 after the logout
you get a brand new session already authenticated. But if then you edit
a page,
then a logout would work.
Some more google and:
http://mail-archives.apache.org/mod_mbox/tomcat-dev/200610.mbox/%[email protected]/bugzilla/%3E
explain the mistery.
What happens is that session.invalidate in wiki2 only invalidate local
session. This *should* propagate because in tomcat the SSO valve setup a
listener
but it only does if the second application register, and this seems to
happen *only* when you access a protected resource.
But normal wiki web.xml set up a security constraint *only* on a subset
of resources, notably not on wiki.jsp, to allow for anonymous logins; so
session is got through the WikiServletFilter, but security constraints
applied only on edit .. which explains the odd behaviour.
Hence, if you want to have SSO AND only authenticated users the simple
solution is to set up the valve and the jspwiki web.xml
normally BUT you also need to add a further security constraint, such
as <url-pattern>/Wiki.jsp</url-pattern> in the authenticated area.
No idea about how (and if possible at all) enable SSO AND solve this
problem AND keep the anonymous access; in our case this is not an issue
(no anonymous access)
so my own problem is solved ... any other better idea wellcome.
LG
