I have a problem using SingleSignOn with a Struts 1.1 app in Tomcat 4.1 (tried 24 & 29).
I have Tomcat set up with the SingleSignOn valve, and a number of web apps (5) all using FORM based authentication. The single sign-on seems to be working fine for 4 out of the 5, but I have a problem with the sessions in the 5th app. The problem is that although at first glance the SSO appears to work, in reality this single app is creating a separate new session for the user on top of the one they already have. This causes a problem upon logout, because the common session is invalidated, but the one that is specific to the struts app remains valid. This means that if the user then navigates directly to the struts application they are still logged in. This is a Bad Thing. In an attempt to trace this issue, I set up an HttpSessionListener in the offending application and dumped the stack in the sessionCreated() method. It appears that a new session is created during processing of the struts RequestProcessor.processLocale() method. The JavaDoc warns that this may happen if a session does not exist, but in my case a valid session must already exist since I have used SSO to login in a different app (and watched a session being created there using another listener)! I'm confused. Why does this one single application not see the existing session? Have I missed some silly config? Is it a bug? Thanks in advance, Kev --- Kev Palfreyman Cambridge, UK