We are running into an issue with the Elytron security subsystem when web authentication is done using HttpServletRequest.login() calls.  SSO sessions are being destroyed after the undertow idle session-timeout duration is hit even though sessions are still active/requests are being made.  This behavior was not seen when using the legacy security subsystem.

Our web apps rely on servlet filters to authenticate requests where we make calls to HttpServletRequest.login().  Although SSO is working with programmatic authentication in that the sessions are reauthenticated properly, the call to DefaultSingleSignOnSession.put() is not made to update the SSO participants list.  Each request has the proper JSESSIONIDSSO in the cookie header so https://issues.redhat.com/browse/ELY-1626 is not the issue.  Without updating the SSO participants list, we are running into a bug where the undertow InMemorySessionManager timeout logic triggers a logout of the SSO session when it hits the idle session-timeout value (default of 30 minutes) even when the sessions are clearly not idle.

Full details can be found here:

https://groups.google.com/g/wildfly/c/MGVbec2IBn0

We've patched the wildfly-elytron-http-1.19.1.Final.jar in our environment so that the cache boolean in HttpAuthenticator's restoreIdentity function is removed and does not prevent this line from being executed:

https://github.com/wildfly-security/wildfly-elytron/blob/1.19.1.Final/http/base/src/main/java/org/wildfly/security/http/HttpAuthenticator.java#L199

We'd like to get an actual fix for this in future releases so we don't have to always patch that jar.