-
Type:
Bug
-
Status: Closed
-
Resolution: No Longer Reproducible
-
Affects Version/s: 6.1.1 CE GA2
-
Fix Version/s: 6.2.0 CE M4
-
Component/s: Application Security
-
Labels:
-
Environment:portal.ctx=/amp
terms.of.use.required=false
ldap.password.policy.enabled=true
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.referral=follow
ldap.import.enabled=true
ldap.export.enabled=true
users.reminder.queries.enabled=false
users.reminder.queries.custom.question.enabled=false
users.email.address.required=false
users.email.address.auto.suffix=@no-availity-emailaddress.com
com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true
open.sso.auth.enabled=true
open.sso.ldap.import.enabled=true
open.sso.logout.on.session.expiration=true
company.security.auth.type=screenName
vaadin.resources.path=/amp/html
vaadin.theme=reindeer
vaadin.widgetset=com.vaadin.portal.gwt.PortalDefaultWidgetSet
servlet.session.destroy.events=com.liferay.portal.events.SessionDestroyAction,com.liferay.portal.events.ChannelSessionDestroyAction
com.liferay.portal.servlet.filters.cache.CacheFilter=false
schema.run.enabled=false
auth.token.check.enabled=false
session.timeout.auto.extend=true
portal.ctx=/amp terms.of.use.required=false ldap.password.policy.enabled=true ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.referral=follow ldap.import.enabled=true ldap.export.enabled=true users.reminder.queries.enabled=false users.reminder.queries.custom.question.enabled=false users.email.address.required=false users.email.address.auto.suffix=@no-availity-emailaddress.com com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true open.sso.auth.enabled=true open.sso.ldap.import.enabled=true open.sso.logout.on.session.expiration=true company.security.auth.type=screenName vaadin.resources.path=/amp/html vaadin.theme=reindeer vaadin.widgetset=com.vaadin.portal.gwt.PortalDefaultWidgetSet servlet.session.destroy.events=com.liferay.portal.events.SessionDestroyAction,com.liferay.portal.events.ChannelSessionDestroyAction com.liferay.portal.servlet.filters.cache.CacheFilter=false schema.run.enabled=false auth.token.check.enabled=false session.timeout.auto.extend=true
We use OpenSSO and LDAP to auto-login users from our legacy site. Liferay is accessed using a link on our legacy portal, which brings up Liferay in a separate browser window. If a user logs out from the legacy portal (invalidating the OpenSSO session), and a new user logs in and attempts to interact with Liferay (which is still open from the first user), the first user's session is invalidated as it should be, but the new user does not get logged in. We do not allow guests to view our pages, so they end up getting an error stating they do not have permission to view the site.
Looking through the source, I think the issue might be caused by storing user information in the HTTP request attributes. We added code to clear out those attributes when a new OpenSSO session is detected in the filter. This seems to have cleared things up for us, and the new user gets a session.