-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 6.0-HF25, 7.10-HF03, 8.1
-
Component/s: Authentication
-
Tags:
-
Sprint:NOS-11
I met some trouble while doing some perf tests, the following method throws an exception (IllegalStateException) when I'm calling /nuxeo/logout (not every time).
The session is invalited twice.
The first time by Seam's sessionManager:
org.nuxeo.ecm.platform.ui.web.auth.plugins.SeamJsfSessionManager.onBeforeSessionInvalidate
The second time is explicit.
class PluggableAuthenticationService public void invalidateSession(ServletRequest request) { if (!sessionManagers.isEmpty()) { for (String smName : sessionManagers.keySet()) { NuxeoAuthenticationSessionManager sm = sessionManagers.get(smName); <=========== first time here sm.onBeforeSessionInvalidate(request); } } HttpServletRequest httpRequest = (HttpServletRequest) request; HttpSession session = httpRequest.getSession(false); if (session != null) { session.invalidate(); <=========== second time here } }
It's important to use Seam to invalidate a seam based session because it handles some custom state which must be cleaned.
The isValid state is handled by the servlet container (tomcat in our case) and is absolutely not exposed.
There are only 2 implementations of NuxeoAuthenticationSessionManager (WebEngine and Seam).
The web engine does nothing on `onBeforeSessionInvalidate`.
May be, we could update the NuxeoAuthenticationSessionManager and add a new operation named isInvalidationManager. Seam will return true.
- only the first sessionManager which return true will invalidate the session
- the standard invalidate method will be invoked only if no sessionManager handled the invalidation.
- is required by
-
-
- Resolved
-