----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Sent: Tuesday, 15 September, 2015 11:12:59 PM
Subject: Re: [undertow-dev] backchannel logout in cluster
On 9/14/2015 6:22 PM, Stuart Douglas wrote:
> I don't think there is much Undertow can do here, because this is clustered
> it is basically out of Undertow's control.
> For a non clustered version you can just maintain your own map using
> session listeners, however like you say for the clustered version if you
> want to maintain this sort of map you will need to create an Infinispan
> cache to handle the mapping.
> When you mentioned an Undertow SPI what exactly did you have in mind? Some
> way to query the session manager based on session attributes?
A Hack I thought of was to create an Http Session that is shared by all
requests and machines or clone the existing http session and change the
session id to an SSO session id provided by the IdP. Undertow doesn't
have a way to provide your own session id though when creating sessions.
(Jetty doesn't either, only Tomcat/JBossWeb allow this).
We don't have a documented way, but if you pass in a SessionConfig implementation that
returns a constant value for findSessionId
to the createSession method then this session id will be used for the new session.
This is obviously a hack though, and I will look at adding a new method that supports this
Better extensions to Undertow session manager would be:
* Ability to associate an alias to an http session. i.e. an SSO session ID.
* or the ability to replace the http session id, with a new one. i.e.
after authentication, replace the local http session id, with the SSO
I can do this one as well.
* Additionally, the ability to index http sessions (or session ids)
principal or principal name.
Would you still need this indexing if I give you control over the session ID?
JBoss, a division of Red Hat