Fix for OPENAM-1041 Destroy Oldest action should actually destroy the oldest session The service has been extended, and also the upgrading code has been updated, so upgrade from 9.5.5-RC1 will not change the behavior.
added DestroyNextExpiringAction.java and modified 9 files
For finding out what exactly has changed in the functionality it is probably best to look at the current siteminder integration code and this side by side. Some highlights and questions below:
FAMAuthScheme has become OpenAMAuthScheme
Logging has been changed from stdout to Debug
SiteMinder session is created by doing an HTTP request to a SiteMinder protected page (in SMSessionUtils) instead of doing it via SiteMinder AgentAPI.
Trusted hostname and encryption key is read from SiteMinder agent SmHost.conf instead of module properties. This allows running load balanced OpenAM servers.
Is there a way to keep the SiteMinder AgentAPI session running between authentications ? Initializing the AgentAPI is relatively expensive/time consuming and it would be better to initialize the API once, keep it running in the background and just do the actual credential verification in the SMAuthModule.
The current SiteMinder integration code used the user DN as credentials. This creates inconsistencies between user logging in via SiteMinder login form vs. from OpenAM so I have switched from DN to username. However, I'm not entirely sure if my way of extracting the userid from the OpenAM universal ID is the right way of doing things (OpenAMAuthScheme line 244 onwards) .
The SMCreateSessionPlugin uses a properties file to get the SiteMinder login URL. A better solution would be to have this somehow in the realm configuration but how ? The AMPostAuthProcessInterface class methods don't get configuration information passed onto them upon initialization like SAML2ServiceProviderAdapter class does.
RSS
commented on CR-362