Sun OpenSSO Enterprise 8.0 Developer's Guide


The SSOTokenManager class contains the methods needed to get, validate, destroy and refresh the session identifiers that are programmatically referred to as the SSOToken. To obtain an instance of SSOTokenManager, call the getInstance() method. The SSOTokenManager instance can be used to create an SSOToken object using one of the forms of the createSSOToken() method. The destroyToken() method is called to invalidate and delete a token to end the session. Either the isValidToken() and validateToken() methods can be called to verify whether a token is valid (asserting successful authentication). isValidToken() returns true or false depending on whether the token is valid or invalid, respectively. validateToken() throws an exception only when the token is invalid; nothing happens if the token is valid. The refreshSession() method resets the idle time of the session. The following code sample illustrates how to use SSOTokenManager to validate a user session.

Example 3–1 Code Sample for Validating a User Session

try {

		/* get an instance of the SSOTokenManager */

SSOTokenManager ssoManager = SSOTokenManager.getInstance();

		/* The request here is the HttpServletRequest. Get
		/* SSOToken for session associated with this request. 
		/* If the request doe not have a valid session cookie,
		/* a Session Exception would be thrown.*/

SSOToken ssoToken = ssoManager.createSSOToken(request);

		/* use isValid method to check if token is valid or not.
		/* This method returns true for valid token, false otherwise. */

if (ssoManager.isValidToken(ssoToken)) {

		/* If token is valid, this information may be enough for
		/* some applications to grant access to the requested
		/* resource. A valid user represents a user who is
		/* already authenticated. An application can further
		/* utilize user identity information to apply
		/* personalization logic .*/

} else {

		/* Token is not valid, redirect the user login page. */


		/* Alternative: use of validateToken method to check
		/* if token is valid */

try {

		/* handle token is valid */

} catch (SSOException e) {

		/* handle token is invalid */


		/*refresh session. idle time should be 0 after refresh. */


} catch (SSOException e) {

		/* An error has occurred. Do error handling here. */