[jboss-dev-forums] [Design of Security on JBoss] - session timeout does not invalidate the SSO

Tuesday, 22 August 2006

I am using JBoss SSO on an application that consists of multiple WAR's and the
application needs to track when a users session (SSO) is created and destroyed. I have
implemented an HttpListener and defined it in web.xml. Unfortunately, when one webapp
(WAR) session invalidates/times out it doesn't necessarily mean that all sessions in
all webapps have been invalidated for that user. Therefore, this approach doesn't
accomplish what I need, which is track when a users SSO gets created and destroyed.

It would be nice if there was some sort of SSOListener that could be implemented. This
SSOListener might be invoked when the SSO is created and destroyed, and have methods like
ssoCreated() and ssoDestroyed().

Is there a hook to tell when a SSO gets created and destroyed?

FYI- This is my SSO configuration for JBoss

-- server.xml --
turned on valve: org.apache.catalina.authenticator.SingleSignOn

-- jboss-service.xml --
Disabled SSO caching by setting DefaultCacheTimeout and DefaultCacheResolution to 0.

Any assistance would be appreciated.
-Mike 

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3966770#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-dev-forums] [Design of Security on JBoss] - session timeout does not invalidate the SSO