Sessioning is used to maintain consistent user sessions across multi-tiered application environments.
AgentAPI methods that implement session services are:
Agents that perform session management use the sessioning services of the Java Agent API to create, delegate, validate, and terminate user sessions.
Note: For login and logout of SiteMinder administrators for Policy Server or DMS sessions, use the methods SmApiSession.login() and SmApiSession.logout() in the Utility package.
A session is created after a successful user login. Once created, a user session persists until it is terminated.
When a user is authenticated, the Policy Server issues a session specification. A session specification contains information about the user.
User-side session persistence in a multi-tiered application environment is accomplished by saving and maintaining the user information in the session specification. This session specification represents a user session. It is the key to SiteMinder session management.
The SiteMinder environment where the user session was created is responsible for the creation, maintenance, and persistent storage of the session specification. For example, the Web Agent (HTTP environment) stores the session specification in an HTTP cookie.
Agents create sessions using login(). This method authenticates the user credentials and gets the information for session specification (including the unique session id). Once created, the session specification is updated on subsequent Java Agent API calls that also return updated expiration times. Agents can use this information to perform custom session management and keep track of session timeouts.
If your Web server’s user-tracking feature is enabled, the SiteMinder Policy Server issues an identity ticket in addition to the session specification. Identity tickets can be used for identity-based personalization when a user is accessing a resource protected by anonymous authentication schemes. Identity tickets never expire.
Another important feature that is seamlessly integrated with the sessioning mechanism is the SiteMinder universal ID. A universal ID identifies the user to an application in a SiteMinder environment through a unique identifier, such as a social security number or customer account number. The universal ID facilitates identification of users between old and new applications by delivering the user’s identification automatically, regardless of the application. Once configured on the Policy Server, a user’s universal id becomes part of the session specification and is made available to agents for the duration of the entire session.
Agents request validation of a session specification to make sure that a user session has neither expired nor been terminated or revoked. This can occur at any time during the session’s lifetime. Agents call AgentAPI.login() to validate a session specification.
When an application’s logic flow crosses application tiers, sessions may be delegated by passing the session specification between two agents. Each agent can choose to have the session specification validated.
A session is terminated in any of the following ways:
To terminate a session, the agent must discard the session specification. Once a session is terminated, the user must log in again to establish a new session.
Copyright © 2014 CA.
All rights reserved.
|
|