Java Shibboleth SP logout notification receiver
Cantor, Scott
cantor.2 at osu.edu
Mon May 7 03:23:57 BST 2012
On 5/6/12 10:01 PM, "Robert Egglestone" <r.egglestone at auckland.ac.nz>
wrote:
>The front channel support is quick to add, the back channel support looks
>like it'll take a lot more effort.
I thought you meant that you expected somebody to be able to do this in a
portable way. I think the only portable part is the trivial piece, so
that's what I thought you were looking for (and why I was confused). The
rest is going to depend on the environment and the app.
>I was thinking along the following lines for Java web apps:
>
>1. A servlet filter adds the Shibboleth session ID to the HttpSession.
>
>2. A container-specific library is installed that given a Shibboleth
>session ID will iterate through the sessions using the container APIs,
>and delete the one that matches the Shibboleth session ID.
Thus, non-portable to "Java" in a generic sense.
>3. A servlet port of the PHP5 logout code that in the front channel case
>drops the session, and in the back channel case calls #2.
>Is this on the right track?
>Is only supporting the front channel a viable option?
I don't know what's viable, but the part that's reusable should be very
trivial to throw together. If you're looking for an existing example of
#2, no, that doesn't exist, AFAIK.
-- Scott
More information about the users
mailing list