Invalidate current user login in BlazeDS

[dancantong]

Hi!
I need to integrate BlazeDS security with an external security mechanism so I have implemented custom authentication as described in http://livedocs.adobe.com/blazeds/1/blazeds_devguide/help.html?content=services_security_1.html. Now I need to invalidate user authentication on server upon certain circunstances. When this happens, I invalidate Session contained in Request parameter of invoke method of TomcatValve. This seems to work but I get a nasty "Duplicated Http Session" in Flex client telling that cookies where removed in server. Is there any clear way to invalidate current user login from BlazeDS?

Thank you very much.

Daniel.

[flexy]

This may be of use: http://forums.adobe.com/thread/296037

[dancantong]

Invoke method of TomcatValve that enables custom authentication is as follows:

Code:

public void invoke(Request request, Response response)
        throws IOException, ServletException
    {
        javax.servlet.ServletRequest servRequest = request.getRequest();
        if(servRequest instanceof HttpServletRequest)
        {
            HttpServletRequest hrequest = (HttpServletRequest)servRequest;
            String path = hrequest.getServletPath();
            boolean match = false;
            if(path == null)
            {
                String uri = hrequest.getRequestURI();
                match = uri != null && (uri.indexOf(MESSAGEBROKER_MATCH) != -1 || uri.indexOf(AMF_MATCH) != -1 || uri.indexOf(GATEWAY_MATCH) != -1 || CUSTOM_MATCH != null && uri.indexOf(CUSTOM_MATCH) != -1);
            } else
            {
                match = path.startsWith(MESSAGEBROKER_MATCH) || path.startsWith(AMF_MATCH) || path.startsWith(GATEWAY_MATCH) || CUSTOM_MATCH != null && path.startsWith(CUSTOM_MATCH);
            }
            if(match)
            {
                TomcatLoginHolder.setLogin(new TomcatLoginImpl(getContainer(), request));
                java.security.Principal principal = hrequest.getUserPrincipal();
                if(principal == null)
                {
                    Session session = getSession(request, false);
                    if(session != null)
                    {
                        principal = session.getPrincipal();
                        if(principal != null)
                        {
                            request.setAuthType(session.getAuthType());
                            request.setUserPrincipal(principal);
                        }
                    }
                }
            }
        }
        Valve next = getNext();
        if(next != null)
            next.invoke(request, response);
    }

I added an aditional checking that forces request.setUserPrincipal(null) in case I need to unlog usser, but this seems to have no effect as logged Flex application can continue invoking remote objects without obtaining a SecurityException response. The only way I found to unlog user is calling to session.setValid(false), although in this case I obtain a "Duplicate Session" exception when I try to invoke again instead of a Security Exception (the invocation that caused session invalidation obtains a SecurityException response). I got this exception even when I try to logout channel after session invalidation. I managed to logout channel If I programatically set FlexClient ID to null and then execute logout (so channel is no longer authenticated and I can redirect user to login view and authenticate again). I find this a bit strange as I suppose It must be a way to invalidate session in server (this must be done when session expires, for example) withouth generating this Duplicate session exception issue.