Is there a way to terminate a user's live uPortal session?

Yes, there is a way to terminate live uPortal sessions (indeed, any user session for Java web applications hosted in Tomcat) via JMX. No, uPortal doesn't have additional support for this feature beyond what it achieves simply by being a Java web application -- there's no administrative UI provided by uPortal for terminating users' sessions, e.g.

Before getting to the JMX solution to this requirement, this KBA first reviews related background.

This sort of use case comes up in consideration of workflow around terminating user accounts (on termination, you might want a user's logged in sessions to terminate everywhere) or in consideration of more sophisticated security-team-facing and user-facing session controls, e.g. an ability to terminate remote sessions on sign out from a single sign on system.

While CAS 3 now offers the feature of "single sign out", CAS's calling back applications to which the user authenticated to advise them that the user has logged out and so to suggest that live sessions be terminated, uPortal 3.0.2 (the latest general audience release as of this writing) does not yet use a version of the CAS client library for Java that supports this optional CAS feature.

Once a user successfully authenticates to uPortal, the user's ongoing access to the portal is maintained using a browser session between the browser and the Java web application container (typically, Tomcat). This is mediated on the client side by a JSESSIONID cookie and on the server side by a Java object called HttpSession. For as long as this session is valid, the user remains logged on to uPortal. Other than user explicitly logging off from uPortal, there is currently no way to invalidate a user's session. Sessions remain active until they time out through inactivity.

It is therefore theoretically possible that a single user session could be kept alive and active for months, supposing application and server uptime were maintained.

The Runtime Info channel includes an administrative feature for reviewing currently active user sessions. This demonstrates the feasibility of administrative access to the sessions. While this channel does not currently have the feature of allowing administrators to terminate the sessions reviewed in it (this is a read-only informational channel for administrators, not a tool for making changes).

In this screenshot, the usernames and metadata about the user sessions has been blurred out to retain privacy of user data.

One modern approach to remote monitoring and administration is to use JMX. Tomcat exposes many MBeans (JMX managed Java objects) including information about sessions. (See relevant documentation). Eric Dalquist of the University of Wisconsin-Madison presented about monitoring and adjusting uPortal via JMX at the 2006 JASIG Conference in Atlanta. Besides merely monitoring the number of characteristics of sessions exposed via Tomcat's JMX support, it is also possible to expire particular sessions via JMX. (Here's a Spring Framework forums post on this topic).