On 12/10/11 12:51, Konstantin Kolinko wrote:
Something becomes clearer.
Remembering the session as associated with ssoid is performed by
SingleSignOn.associate(..) method. This method is called by
AuthenticatorBase class.
Those webapps with long living sessions - are they protected by
security constraints in their web.xml?
(If they are not, then authentication does not happen and their
sessions are not associated with SSO)/
Yes, they are constrained and once the SSO has been invalidated, they
are forced through my standard login/menu mechanism by catching the 403
error status.
My tomcat 6.0.28 compiled class for AuthenticatorBase does not match the
6.0.33 source code I am debugging with. The SSO Valve is pretty much the
same.
The 6.0.33 AuthenticatorBase.register() method has a lot of stuff about
SSO and it mentions a bug fix number 10040 in some comments that sound
quite relevant to my symptoms. I haven't been able to reconcile the
source code and can't find the bug report yet.
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
