[jira] [Commented] (OFBIZ-10047) Tomcat SSO

Tue, 19 Dec 2017 01:37:21 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-10047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16296545#comment-16296545
 ] 

Jacques Le Roux commented on OFBIZ-10047:
-----------------------------------------

I reviewed the code a last time and read the Tomcat links I posted above.

There is one thing I wonder about. At 
https://tomcat.apache.org/tomcat-8.5-doc/config/host.html#Single_Sign_On it's 
said
bq. As soon as the user logs out of one web application (for example, by 
invalidating the corresponding session if form based login is used), the user's 
sessions in all web applications will be invalidated. Any subsequent attempt to 
access a protected resource in any application will require the user to 
authenticate himself or herself again.
This obviously works in OFBiz (not new) and it's not due to
{code}
        if (EntityUtilProperties.propertyValueEquals("security", 
"security.login.tomcat.sso", "true")){
            try {
                // log out from Tomcat SSO
                request.logout();
            } catch (ServletException e) {
                Debug.logError(e, module);
            }
        }
{code}
in LoginWorker because despites what is said at 
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()
bq.  Establish null as the value returned when getUserPrincipal, getRemoteUser, 
and getAuthType is called on the request.
As HttpServletRequest.html is only an interface nothing is implemented there. 
So I think we don't need this block of code at all.

Also as I said above login out from Tomcat SSO is not an issue for OFBiz

> Tomcat SSO
> ----------
>
>                 Key: OFBIZ-10047
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10047
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: James Yong
>            Assignee: James Yong
>            Priority: Minor
>         Attachments: OFBIZ-10047.patch, OFBIZ-10047.patch, OFBIZ-10047.patch, 
> OFBIZ-10047.patch, OFBIZ-10047.patch
>
>
> Proposing Tomcat SSO to be used in OFBiz to improve on Single-Sign-On.
> This aim to fix the issues mentioned in OFBIZ-6963, OFBIZ-6994.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to