At 08:21 PM 11/24/2003 +0100, Remy wrote: >Brian Stansberry wrote: >>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote: >> >>>I have tried applying the patch, and I found three problems with >>>it. First, its removal of a session from the SingleSignOnEntry >>>object causes an IndexOutOfBounds exception. Second, the method >>>for determining whether the user explicitly logged out or whether a >>>session timed out doesn't scale one of the numbers correctly (i.e. >>>comparing millisecond values to seconds). I have fixed the patch, >>>but I don't have a diff of it yet (I'm new to helping with this >>>project). Finally, the patch doesn't synchronize on 'reverse' when >>>removing an entry from it. >> >>I also looked at the code for StandardSession.getLastAccessedTime() >>and it looks as if it will throw an IllegalStateException if the >>session is expired. So that would break the algorithm used in the >>9077 patch. >>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify >>throwing an IllegalStateException for a call to >>getLastAccessedTime(). It looks as if the exception throw was added >>in response to bug 15967, which stated that the javadoc does specify >>the exception, but I'm looking at the javadoc for both Servlet 2.3 >>and 2.4, and in both cases it's not specified. > >Can you address those issues ASAP ? (incl the array out of bounds and the sync issue)
Sure; I'm starting on it now. However, Jean-Francois found a HttpSession javadoc that specifies throwing an IllegalStateException in getLastAccessedTime(). If that is in the final spec, the 9077 patch algorithm will not work. I'll work on it anyway in case the exception's not in the final spec. As a backup, I've attached a patch that restores your earlier removal of the logout code. Brian Stansberry WAN Concepts, Inc. www.wanconcepts.com Tel: (510) 894-0114 x 116 Fax: (510) 797-3005
Index: SingleSignOn.java =================================================================== RCS file: /home/cvspublic/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v retrieving revision 1.8 diff -u -r1.8 SingleSignOn.java --- SingleSignOn.java 24 Nov 2003 16:46:56 -0000 1.8 +++ SingleSignOn.java 24 Nov 2003 20:14:10 -0000 @@ -376,7 +376,11 @@ if (ssoId == null) return; - if ( event.getData() != null + deregister(ssoId); + // FIXME: There's no way right now to specify per application or + // global logout + /* + if ( event.getData() != null && "logout".equals( event.getData().toString() )) { // logout of all applications deregister(ssoId); @@ -384,6 +388,7 @@ // invalidate just one session deregister(ssoId, session); } + */ }
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]