2011/10/11 Brian Burch <br...@pingtoo.com>: > > 2. My root welcome page does an html redirect to a small webapp called > static, which has its own web.xml. The redirect is to a page which is > protected by a security contraint which requires a FORM-based login (this > server only has an SSL Connector defined). The static web.xml defines its > session-timeout to be 20 minutes. > >(...) > 6. The user tries to refresh the second webapp's page after about 25 > minutes, but the GET fails with 403 status and the explanation "access to > resource has been denied". Apparently, the user's session has been timed out > and so he or she is no longer authorised to access the resource. > > 7. When I attach a debugger to the source code in my second webapp, I can > stop execution and display context variables: > *** HttpServletRequest.StandardSession.maxInactiveInterval has the value > 7200 (i.e. 120 minutes), > which is the time defined in the webapp's own xml. > > > These observations suggest the session is being timed out based on the value > for the webapp first encountered by SSO, possibly associated with the entire > SSO Realm, and is not being modified by the individual webapps within the > Realm. > > I can see some relevant logic within the source code of > SingleSignOn.sessionEvent(SessionEvent), but I don't know which session > instance it will be working with: >
Sessions in each of webapps are independent from each other. That is what Servet specification requires. The org.apache.catalina.authenticator.SingleSignOn valve invalidates the SSO session when session is explicitly invalidated (that is what you usually do on logout: session.invalidate()) It tries to differentiate between explicit session invalidation and it timing out. Timed out sessions are just removed, and invalidation happens when the last session for the same sso id has been removed. Maybe something goes wrong in SingleSignOn#sessionEvent(...) - you may try to debug it (see Wiki) or at least enable debug logging for that class. http://wiki.apache.org/tomcat/FAQ/Developing#Debugging Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
