On Tue, Aug 11, 2009 at 17:46, Norman Franke<nor...@myasd.com> wrote: > The JavaDoc on org.apache.tapestry5.service.Request states that > "getSession(false)" should return NULL if the session is invalidated. This > is not happening, it returns the invalidated session. > > I think this is because tapestry-spring-security is using the > HttpServletRequest and thus the HttpSession instead of the Tapestry Sesssion > in LogoutServiceImpl. Invalidating the HttpSession does NOT invalidate the > Tapestry session causing all sorts of issues. If I invalidate the Tapestry > session first, then call logoutService.logout() it seems to work. > > Can this be fixed in tapestry-spring-service?
Sure, if we can work out the proper way to solve this. If I understand you, the logoutService invalidates the HttpSession, which makes Tapestry session throw an exception? Currently the LogoutService logs out the following two cases: public static void contributeLogoutService( final OrderedConfiguration<LogoutHandler> cfg, @InjectService("RememberMeLogoutHandler") final LogoutHandler rememberMeLogoutHandler) { cfg.add("securityContextLogoutHandler", new SecurityContextLogoutHandler()); cfg.add("rememberMeLogoutHandler", rememberMeLogoutHandler); } My guess is that one probably should add a tapestry logout handler, which should invalidate the tapestry session?, but I'm not sure whether this should be default or up to the user. But if the LogoutService is unusable without the tapestry logout handler I guess it's of use be default :) -- regards, Robin --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org