SSO注销会话超时

时间:2015-07-20 09:51:41

标签: java security single-sign-on wildfly-8 undertow

当http会话显式无效时,将调用以下安全会话侦听器:SingleSignOnAuthenticationMechanism#SessionInvalidationListener

用户在回复中获取新的JSESSIONIDSSO Cookie。一切正常。但是当Session被超时无效时,在会话监听器中我们不会对用户从SSO注销的代码进行调用:

        @Override
        public void sessionDestroyed(Session session, HttpServerExchange exchange, SessionDestroyedReason reason) {
            String ssoId = (String) session.getAttribute(SSO_SESSION_ATTRIBUTE);
            if (ssoId != null) {
                try (SingleSignOn sso = manager.findSingleSignOn(ssoId)) {
                    if (sso != null) {
                        sso.remove(session);
                        if (reason == SessionDestroyedReason.INVALIDATED) {
                            for (Session associatedSession : sso) {
                                associatedSession.invalidate(null);
                                sso.remove(associatedSession);
                            }
                        }
                        // If there are no more associated sessions, remove the SSO altogether
                        if (!sso.iterator().hasNext()) {
                            manager.removeSingleSignOn(ssoId);
                        }
                    }
                }
            }
        }

问题是,为什么它以这种方式起作用?我可以强制下调调用associatedSession.invalidate(null);和sso.remove(associatedSession);在http会话超时?现在当http会话到期时,用户继续使用旧的JSESSIONIDSSO,服务器不提供更改它。

0 个答案:

没有答案