当http会话显式无效时,将调用以下安全会话侦听器:SingleSignOnAuthenticationMechanism#SessionInvalidationListener
用户在回复中获取新的JSESSIONIDSSO Cookie。一切正常。但是当Session被超时无效时,在会话监听器中我们不会对用户从SSO注销的代码进行调用:
@Override
public void sessionDestroyed(Session session, HttpServerExchange exchange, SessionDestroyedReason reason) {
String ssoId = (String) session.getAttribute(SSO_SESSION_ATTRIBUTE);
if (ssoId != null) {
try (SingleSignOn sso = manager.findSingleSignOn(ssoId)) {
if (sso != null) {
sso.remove(session);
if (reason == SessionDestroyedReason.INVALIDATED) {
for (Session associatedSession : sso) {
associatedSession.invalidate(null);
sso.remove(associatedSession);
}
}
// If there are no more associated sessions, remove the SSO altogether
if (!sso.iterator().hasNext()) {
manager.removeSingleSignOn(ssoId);
}
}
}
}
}
问题是,为什么它以这种方式起作用?我可以强制下调调用associatedSession.invalidate(null);和sso.remove(associatedSession);在http会话超时?现在当http会话到期时,用户继续使用旧的JSESSIONIDSSO,服务器不提供更改它。