Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-5728

ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout

XMLWordPrintable

    • Hide

      Edit standalone-ha.xml, replace:

              <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>

      with:

              <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <sso cache-container="web" cache-name="sso" reauthenticate="false"/>
            </virtual-server>
        </subsystem>

      Add a application user that belongs to group "guest" with "bin/adduser.sh"

      Start the server with "bin/standalone.sh --server-config=standalone-ha.xml".

      Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security

      Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second)

      Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster.

      The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).

      Show
      Edit standalone-ha.xml, replace: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> </virtual-server> </subsystem> with: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> <sso cache-container= "web" cache-name= "sso" reauthenticate= " false " /> </virtual-server> </subsystem> Add a application user that belongs to group "guest" with "bin/adduser.sh" Start the server with "bin/standalone.sh --server-config=standalone-ha.xml". Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second) Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster. The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).
    • Workaround Exists
    • Hide

      See description

      Show
      See description

      Logging out a user with Request.logout doesn't work with clustered SSO. This is caused by ClusteredSingleSignOn.deregister(String) not removing the ssoId from the SSO cluster. The ClusteredSingleSignOn.sessionEvent removes it from both the local cache and the SSO cluster, so a workaround is to call Session.invalidate() prior to calling Request.logout().

        1. jboss-as-servlet-security.war
          10 kB

              pferraro@redhat.com Paul Ferraro
              sthorger@redhat.com Stian Thorgersen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: