On Aug 11, 2009, at 5:20 PM, Robin Helgelin wrote:
On Tue, Aug 11, 2009 at 17:46, Norman Franke<nor...@myasd.com> wrote:
The JavaDoc on org.apache.tapestry5.service.Request states that
"getSession(false)" should return NULL if the session is
invalidated. This
is not happening, it returns the invalidated session.
I think this is because tapestry-spring-security is using the
HttpServletRequest and thus the HttpSession instead of the Tapestry
Sesssion
in LogoutServiceImpl. Invalidating the HttpSession does NOT
invalidate the
Tapestry session causing all sorts of issues. If I invalidate the
Tapestry
session first, then call logoutService.logout() it seems to work.
Can this be fixed in tapestry-spring-service?
Sure, if we can work out the proper way to solve this. If I understand
you, the logoutService invalidates the HttpSession, which makes
Tapestry session throw an exception?
Currently the LogoutService logs out the following two cases:
public static void contributeLogoutService(
final OrderedConfiguration<LogoutHandler> cfg,
@InjectService("RememberMeLogoutHandler")
final LogoutHandler rememberMeLogoutHandler) {
cfg.add("securityContextLogoutHandler",
new SecurityContextLogoutHandler());
cfg.add("rememberMeLogoutHandler", rememberMeLogoutHandler);
}
My guess is that one probably should add a tapestry logout handler,
which should invalidate the tapestry session?, but I'm not sure
whether this should be default or up to the user. But if the
LogoutService is unusable without the tapestry logout handler I guess
it's of use be default :)
--
regards,
Robin
I think it should be the default, since one is using it with Tapestry,
after all, and invalidating the HttpSession really does confuse
Tapestry, making logoutService rather useless.
Norman Franke
Answering Service for Directors, Inc.
www.myasd.com
