<quoted mail> -----Original Message----- From: Gael Abadin [mailto:gael.aba...@imatia.com] Sent: Friday, January 29, 2016 10:33 AM To: Tomcat Users List Subject: client ssl renegotiation after invalidating session
I want to invalidate the client ssl cert authentication after the user logs out of my application. There is nothing about it in the docs and google just digs out this unanswered old thread from this users list in 2007: https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3c306958.89260...@web36804.mail.mud.yahoo.com%3E Does anybody know if there is any way to do it? </quoted mail> Depends what your version of Tomcat is. Since we skipped from 5.5 to 7.0 I don't know if 6 has this attribute. For 5.5 we used reflection to dig into the Request object and dig the SSLSessionManager which was kind of annoying since things shifted underground and we had to readjust for different releases of 5.5 private static boolean invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) { String serverInfo = FedSrvServlet.getServletContainerServerInfo(); if (serverInfo == null) { log.error("Failed to determine server version"); return false; } boolean compatibleTomcat = (serverInfo.indexOf("Tomcat") > 0 && serverInfo.indexOf("7.0") > 0) || (serverInfo.indexOf("Tomcat") > 0 && serverInfo.indexOf("8.0") > 0) || (serverInfo.indexOf("Tomcat") > 0 && serverInfo.indexOf("9.0") > 0); if (compatibleTomcat) { // Invalidate the SSL Session (org.apache.tomcat.util.net.SSLSessionManager) Method invalidateSessionMethod = null; Object mgr = httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr"); if (mgr != null) { try { invalidateSessionMethod = mgr.getClass().getMethod("invalidateSession"); if (invalidateSessionMethod == null) { log.error("Failed to reset SSL session: Method invalidateSessionMethod = mgr.getClass().getMethod(\"invalidateSession\") failed to return method"); } invalidateSessionMethod.setAccessible(true); } catch (Throwable t) { log.error("Failed to reset SSL session: " + t.getMessage(), t); } // Invalidate the session try { invalidateSessionMethod.invoke(mgr); log.trace("SSL session reset successfully"); return true; } catch (Throwable t) { log.error("Failed to reset SSL session: invalidateSession() threw exception: " + t.getMessage(), t); } } else { log.error("Failed to reset SSL session: httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\") call failed to return session manager object"); } } return false; } Hope this helps. George