Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-5728

ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      Edit standalone-ha.xml, replace:

              <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                  <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                  <virtual-server name="default-host" enable-welcome-root="true">
                      <alias name="localhost"/>
                      <alias name="example.com"/>
                  </virtual-server>
              </subsystem>
      

      with:

              <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                  <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                  <virtual-server name="default-host" enable-welcome-root="true">
                      <alias name="localhost"/>
                      <alias name="example.com"/>
                      <sso cache-container="web" cache-name="sso" reauthenticate="false"/>
                  </virtual-server>
              </subsystem>
      

      Add a application user that belongs to group "guest" with "bin/adduser.sh"

      Start the server with "bin/standalone.sh --server-config=standalone-ha.xml".

      Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security

      Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second)

      Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster.

      The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).

      Show
      Edit standalone-ha.xml, replace: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> </virtual-server> </subsystem> with: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> <sso cache-container= "web" cache-name= "sso" reauthenticate= " false " /> </virtual-server> </subsystem> Add a application user that belongs to group "guest" with "bin/adduser.sh" Start the server with "bin/standalone.sh --server-config=standalone-ha.xml". Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second) Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster. The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      See description

      Show
      See description

      Description

      Logging out a user with Request.logout doesn't work with clustered SSO. This is caused by ClusteredSingleSignOn.deregister(String) not removing the ssoId from the SSO cluster. The ClusteredSingleSignOn.sessionEvent removes it from both the local cache and the SSO cluster, so a workaround is to call Session.invalidate() prior to calling Request.logout().

        Attachments

          Activity

            People

            Assignee:
            pferraro Paul Ferraro
            Reporter:
            stianst Stian Thorgersen
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: