[jira] [Commented] (OFBIZ-10047) Tomcat SSO

    [ https://issues.apache.org/jira/browse/OFBIZ-10047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16296545#comment-16296545 ]

Jacques Le Roux commented on OFBIZ-10047:
-----------------------------------------

I reviewed the code a last time and read the Tomcat links I posted above.

There is one thing I wonder about. At https://tomcat.apache.org/tomcat-8.5-doc/config/host.html#Single_Sign_On it's said
bq. As soon as the user logs out of one web application (for example, by invalidating the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again.
This obviously works in OFBiz (not new) and it's not due to
{code}
        if (EntityUtilProperties.propertyValueEquals("security", "security.login.tomcat.sso", "true")){
            try {
                // log out from Tomcat SSO
                request.logout();
            } catch (ServletException e) {
                Debug.logError(e, module);
            }
        }
{code}
in LoginWorker because despites what is said at https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()
bq.  Establish null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request.
As HttpServletRequest.html is only an interface nothing is implemented there. So I think we don't need this block of code at all.

Also as I said above login out from Tomcat SSO is not an issue for OFBiz



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)