0

I'm trying to support single sign-on with JETTY and we have 2 subdomains running webservers that will support single sign-on through Jetty's SSO support.

account.test.com app.test.com

We have a SSOSession cookie that is set to *.test.com, but to support sign-off I need to ensure that my Jetty server running at app.test.com has it's JSESSIONID cookie reset.

I'm currently using the Jetty JAAS FormAuthenticator and overriding SSORealm to support validation of the SSOSession cookie when the FormAuthenticator is called.

I want to be able to have the account.test.com allow users to sign in there which will cause it to invalidate the JSESSIONID cookie being used at app.test.com.

One solution I could do that would probably be more correct is to detect a change in teh SSOSession cookie and invalidate the JSESSIONID on my server.

4

1 回答 1

0

我对 Jetty 或 JSESSIONID 如何工作一无所知,但听起来您想将 JSESSIONID 的有效性与特定的 SSOSession cookie 联系起来。

一种可能性 - 在 app.test.com 上创建新会话时,除了新的 JSESSIONID 之外,在域 app.test.com 中设置一个新的 cookie,例如 SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret)。

当用户与 app.test.com 交互时,服务器会收到 JSESSIONID、SSOSig 和 SSOSessionID。如果 SSOSessionID 因在 account.test.com 上登录而更改,那么您将收到 JSESSIONID、SSOSig 和 SSOSessionID'。现在您验证 SSOSig 的尝试将失败,因为 MD5(JSESSIONID + SSOSessioID' + secret) != SSOSig 并且此时您可以使 JSESSIONID 无效。

于 2010-02-13T18:48:59.357 回答