uCosminexus Application Server, Security Management Guide

[Contents][Index][Back][Next]

5.12.2 Implementation of login and logout when using the session failover functionality

This section describes how to implement login and logout when using the session failover functionality.

Organization of this subsection
(1) Using API
(2) Using the tag library
(3) Notes on using single sign-on

(1) Using API

The session failover functionality can inherit objects in the String type only. To inherit user attributes (UserAttributes), it is required to fetch necessary character information and store it in the global session information.

The following is an example of implementing user authentication when using the session failover functionality.

(a) Login (when using the session failover functionality)

When implementing login, register in the global session the user ID and user information necessary when login is successful.

<%
  LoginContext lc = new LoginContext("Example",
    new WebPasswordHandler(request, response, null, "login.html", true));
  try {
    lc.login();
    Subject subject = lc.getSubject();
    session.setAttribute("ExampleSubject", subject);   // This is to store the Subject in HttpSession
    String uid = ((Principal)subject.getPrincipals().iterator().next()).getName();
session.setAttribute("ExampleUserID", uid); //This is to store the user ID in the global session.
    UserAttributes attr = (UserAttributes)lc.getSubject().getPublicCredentials().iterator().next();
    session.setAttribute("telephoneNumber", attr.getAttribute("tel"));
//This is to store the telephone number in the global session.
  } catch (LoginException e) { ... }
%>

It is recommended that the user ID be registered as read-only in case of the SFO server failure.

(b) Logout (when using the session failover functionality)

Logout uses the Subject obtained at the time of login and the user ID and HttpSession registered in the global session. Note that the Subject object becomes null after failover. Create and specify a new Subject.

<%
  try {
String uid = (String)session.getAttribute("ExampleUserID");//This is to obtain the user ID from the global session.
    Subject subject = (Subject)session.getAttribute("ExampleSubject");
    LoginContext lc = new LoginContext("Example",
(subject != null) ? subject : new Subject(), //This is to create a new Subject when the Subject is null.
new WebLogoutHandler(session, uid)); //This is to assign WebLogoutHandler to LoginContext.
    session.removeAttribute("ExampleUserID");
    lc.logout();
  } catch (LoginException e) { ... }
%>
(c) Session timeout logout (when using the session failover functionality)

To complete logout when the session times out, assign the object that implements the HttpSessionBindingListener interface to the HttpSession object. Note that the registered object is cleared as a new HttpSession is generated after failover check if the object is present at the time of screen transition, etc., and re-register it when necessary.

<%
  LoginContext lc = new LoginContext("Portal",
    new WebPasswordHandler(request, response, null, "login.html", true));
  try {
    lc.login();
    Subject subject = lc.getSubject();
    String uid = ((Principal)subject.getPrincipals().iterator().next()).getName();
session.setAttribute("PortalSubject", subject); // This is to store the Subject in HttpSession
session.setAttribute("PortalUserID", uid); // This is to store the user ID in the global session.
session.setAttribute("myLogoutObject", // This is to assign the object which performs the logout process
      new MyListener("Portal", "PortalUserID", "PortalSubject")); //when the session times out to HttpSession.
  } catch (LoginException e) { ... }
%>
<%!
  class MyListener implements                              // The class which performs the logout process
      HttpSessionBindingListener, java.io.Serializable {   // when the session times out.
    String name;
    String userName;
    String subjectName;
    public MyListener(String name, String userName, String subjectName) {
      this.name = name;
      this.userName = userName;
      this. subjectName = subjectName;
    }
    public void valueBound(HttpSessionBindingEvent ev) {}
    public void valueUnbound(HttpSessionBindingEvent ev) {
      String uid = (String)ev.getSession().getAttribute(userName);
      Subject subject = (Subject)ev.getSession().getAttribute(subjectName);
      try {
        LoginContext ctx = new LoginContext(name,
          (subject != null) ? subject : new Subject(),
          new WebLogoutHandler(ev.getSession(), uid));
        ctx.logout();
      } catch (LoginException e) { ... }
    }
  }
%>
(d) Checking the login state (when using the session failover functionality)

The object that is registered for logout and implements the HttpSessionBindingListener interface is cleared after failover. Check if the object is present and re-register it when necessary.

<%!
  if (LoginUtil.check(request, response)) {
    HttpSession session = request.getSession();
    if (session.getAttribute("myLogoutObject") == null) {
      session.setAttribute("myLogoutObject",
          new MyListener("Portal", session.getAttribute("userid"), "PortalSubject");
    }
  } else {
//This is the process when login is not done
  }
%>

(2) Using the tag library

The session failover functionality limits the use of the following tags, as user attributes (UserAttributes) cannot be inherited.

<ua:getAttributes/>
A null character is assigned to the script variable when the id attribute is specified. Otherwise, nothing is done.

<ua:getAttribute/>
A null character is assigned to the script variable when the id attribute is specified. Otherwise, nothing is done.

<ua:getAttributeNames/>
A null character is assigned to the script variable when the id attribute is specified. Otherwise, nothing is done.

To inherit user attributes (UserAttributes), it is required to fetch necessary character information and store it in the global session information.

(3) Notes on using single sign-on

Do not allow multiple logins in the same realm or by the same user. When multiple logins occur, single sign-on may not work properly.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd