jakarta ee – invalidating session across all application in weblogic 11g – Education Career Blog

I am new to weblogic and am porting over a series of web applications from jboss. I have multiple war’s that I deploy to the same weblogic server. All of them are configured for Form based authentication backed by active directory.

I’m having issues logging out of the applications however. I have one of the applications that serves as my login application that contains the actual login.jsp form. It also has a logout servlet that calls session.invalidate(). After calling this, i can’t access protected pages in the main application, but can access protected pages in the other applications.

From what I’ve been reading, weblogic 11g shares the same session across all applications, which makes sense with what I am seeing. I’m finding references to using the following to invalidate a session across all applications:

invalidateAll(HttpServletRequest req)

in package

weblogic.servlet.security.ServletAuthentication

However, I can not find this or anything similar in weblogic 11g. Where is this utility class or how should I be doing this?

Thanks

UPDATE:

Based on Josek’s answer below, I had to add the following to my weblogic.xml file for all of the applications that I am deploying:

 <session-descriptor>
     <sharing-enabled>true</sharing-enabled>
 </session-descriptor>

The jar that I was looking for is called wls-api.jar that contains the ServletAuthentication class. I was using the zip based 10.3.3.0 version of the web logic server. I found the jar in the installation of the wlserver_10.3 server installation as part of the Weblogic Fusion installation. I just took the jar and added it to our Nexus maven repository.

,

invalidateAll is documented as part of WLS 10.3 (aka 11g) so it should work in your logout servlet. Have you tried it and faced any error?

It also has a logout servlet that
calls session.invalidate(). After
calling this, i can’t access protected
pages in the main application, but can
access protected pages in the other
applications

This indicates to me, that the sessions are not shared across web applications, which is the default behaviour. If the sessions were shared the user would be logged out of all the applications. For the sessions to be shared, you would have to set sharing-enabled
to true

As the docs state,

By default, Web applications do not
share the same session. If you would
like Web applications to share the
same session, you can configure the
session descriptor at the application
level in the weblogic-application.xml
deployment descriptor. To enable Web
applications to share the same
session, set the sharing-enabled
attribute in the session descriptor to
true in the weblogic-application.xml
deployment descriptor.

Leave a Comment