Details
Description
To be able to "share" a PortletSession with a servlet accessed directly of a PortletApplication (as specified by JSR-168), you have to define Tomcat (5.5.x) Connector attribute emptySessionPath="true".
I recently was required to do this, and then I noticed this had a critical security side-effect with the current version of Jetspeed.
The emptySessionPath="true" setting causes only one cookie to be set for the portal root path which is then shared by all web applications (portal and portlet applications) for one user connection.
Now, when you logout in the portal, the portal session is invalidated, but all the portlet application sessions remain active!
When you login as a different user, you still see the session data from the previous (portal) session.
Without emptySessionPath="true", the PortletSessions created are actually "shadowing" the Portal session, and then those get invalid too when the portal session is destroyed.
The real solution (also already somewhat implicitly indicated by the JSR-168 spec) is actively invalidating all created PortletApplication sessions when the Portal application session becomes invalid (logout or timeout).
I've created a lightweight PortalSessionsManager implementation which seems to work very well.
This new component has to be configured as a Portal Service in the spring assembly, which I will do as default, and then emptySessionPath="true" can safely be used.