Java Shibboleth SP logout notification receiver

Cantor, Scott cantor.2 at osu.edu
Mon May 7 03:23:57 BST 2012


On 5/6/12 10:01 PM, "Robert Egglestone" <r.egglestone at auckland.ac.nz>
wrote:

>The front channel support is quick to add, the back channel support looks
>like it'll take a lot more effort.

I thought you meant that you expected somebody to be able to do this in a
portable way. I think the only portable part is the trivial piece, so
that's what I thought you were looking for (and why I was confused). The
rest is going to depend on the environment and the app.

>I was thinking along the following lines for Java web apps:
>
>1. A servlet filter adds the Shibboleth session ID to the HttpSession.
>
>2. A container-specific library is installed that given a Shibboleth
>session ID will iterate through the sessions using the container APIs,
>and delete the one that matches the Shibboleth session ID.

Thus, non-portable to "Java" in a generic sense.

>3. A servlet port of the PHP5 logout code that in the front channel case
>drops the session, and in the back channel case calls #2.

>Is this on the right track?
>Is only supporting the front channel a viable option?

I don't know what's viable, but the part that's reusable should be very
trivial to throw together. If you're looking for an existing example of
#2, no, that doesn't exist, AFAIK.

-- Scott



More information about the users mailing list