Hello i have a problem with the security configuration of my struts application.
First a short description of my environment:
We are using two servers, one SAP Netweaver Portal 6.0 SPS 20
and one SAP Application Server WAS 6.4
The SAP WAS is configured to trust the Portal and therefor a SSO between Portal and SAP WAS is working.
My Struts application is running on the SAP WAS and the user, authenticated on the portal, can access this application via the portal navigation. The ticket is evaluated via the EvaluateTicketLoginModule JAAS Module, the user is verified and everything is ok.
And here is my question: I have debugged the application and found out, that only the first request to the application runs over the JAAS LoginModule every later request is bypassing this EvaluateTicketLoginModule.
When a user now logs out from the portal and a new user logs in (using the same browser instance), the EvaluateTicketLoginModule is never used to verify the new LoginTicket. The principal in the request-object on the SAP WAS always shows the first user.
I have configured the web.xml (SAP WAS) as follows:
<security-constraint>
<display-name>Secure App</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secure.role</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>secure.role</role-name>
</security-role>
Any idea what is going wrong or what i have missed?
Regards Edmund