I have a problem using SingleSignOn with a Struts 1.1 app in Tomcat 4.1
(tried 24 & 29).
I have Tomcat set up with the SingleSignOn valve, and a number of web
apps (5) all using FORM based authentication. The single sign-on seems
to be working fine for 4 out of the 5, but I have a problem with the
sessions in the 5th app.
The problem is that although at first glance the SSO appears to work, in
reality this single app is creating a separate new session for the user
on top of the one they already have. This causes a problem upon logout,
because the common session is invalidated, but the one that is specific
to the struts app remains valid. This means that if the user then
navigates directly to the struts application they are still logged in.
This is a Bad Thing.
In an attempt to trace this issue, I set up an HttpSessionListener in
the offending application and dumped the stack in the sessionCreated()
method. It appears that a new session is created during processing of
the struts RequestProcessor.processLocale() method. The JavaDoc warns
that this may happen if a session does not exist, but in my case a valid
session must already exist since I have used SSO to login in a different
app (and watched a session being created there using another listener)!
I'm confused. Why does this one single application not see the existing
session?
Have I missed some silly config? Is it a bug?
Thanks in advance,
Kev
---
Kev Palfreyman
Cambridge, UK
