its in
the "clean things up" step that something went wrong.
You
need to do a session.invalidate(), and then create a new guest session with a
session.create("true"). Here is the bit in the RequestProcessor of the
BluePrint (petstore):
if (event
instanceof LogoutEvent)
{
... whatever ... session.invalidate();
....whatever
....
HttpSession validSession = req.getSession(true);
...whatever ...
}
This
is usually done in a servlet. I would do the same thing here. Instead of using
the client - > slsb -> whatever ... use client -> servlet -> slsb
-> whatever bean. This way, you can abstract whatever login/logout and
session control directly with the servlet, and you also abstract instancing the
slsb -> whatever bean. The servlet can also be loadbalanced (the slsb can't
be) so if you want failover capability, you get it.
regards,
the
elephantwalker
|
- Security bug with application clients? Michael Jara
- Re: Security bug with application clients? elephantwalker
- Re: Security bug with application clients? Lachezar Dobrev
- RE: Security bug with application clients? Dvornikov Victor
- Re: Security bug with application clients? Michael Jara
- Re: Security bug with application clients? Tim Endres
- RE: Security bug with application clients? cybermaster
- RE: Security bug with application clients? Dvornikov Victor