RE: Orion user management - NOT solved

[Randahl Fink Isaksen]

Dear Elephantwalker     As we all know, you are right that my session beans have access to a SessionContext, but I think this is not enough for performing the logout.   As I mentioned, the user has been logged in by calling the login method on the RoleManager from a session bean, and this means that the user is logged in to the Orion server, he has a role and can access EJB methods and so forth. Now, to log him out again I have to tell the Orion server that he is to be logged out, so Orion will no longer allow him to access the EJBs which are protected by the security model (e.g. calling a method which requires the role “Administrator”). And to do this, I need some kind of logout method in the Orion API.   It will not be enough to just alter the state of my beans (as mentioned by Peter Saurugger), because Orion will still think the user is logged in and has permissions to access my EJB methods.   Now, you mention SessionContext… are you thinking of the now deprecated HttpSessionContext which was available to JSPs? From that you could get a HttpSession upon which you could invoke the invalidate method. – However, this is not possible with the object of type SessionContext which my session beans have access to. It has no getSession method or the like.   I sure hope somebody can think of an answer to this issue. Either that, or I am stuck with making the client open an HTTP connection to call a servlet which performs the logout… I would really hate that.     Randahl         -----Original Message----- From: The elephantwalker [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 00:47 To: Orion-Interest; [EMAIL PROTECTED] Subject: RE: Orion user management   Dear Randahl,   To logout a user, you must have a session context associated with your application. For example, if your swing client is accessing ejb's, the swing client can access everything through a stateful session bean. Session beans have a session context associated with them...   regards,   the elephantwalker www.elephantwalker.com   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randahl Fink Isaksen Sent: Wednesday, April 03, 2002 1:08 AM To: Orion-Interest Cc: [EMAIL PROTECTED] Subject: Orion user management Hi Peter     I was just wondering: In your search for user management methods have you ever come across a logout() method? It seems odd to me, that there is only a login method on the role-manager interface – if you are dealing with an application client (e.g. a Swing client) instead of a regular web client you log the user in using the role-manager login() method, but there seems to be no means for logging the user out again.     Thanks for your time   Randahl