Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-2263

Invalidating a session of an SSO on a different node than where the session was created does not logout the user

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.DR13
    • 7.0.0.ER2 (Beta), 7.0.0.ER7, 7.0.0.CR1, 7.1.0.DR6, 7.1.0.DR10
    • Undertow
    • None
    • Release Notes
    • Documented as Known Issue
    • Hide
      • Two servers with a distributable deployment capable of calling Session.invalidate() (FORM auth), clustered single-sign-on, user added
        • A1 = 127.0.0.1:8080/deployment
        • A2 = 127.0.0.2:8180/deployment
      • Access A1, authenticate, access A2 (we still only have a single session - everything distributable), invalidate session on A2 (e.g. calling 127.0.0.1:8180/deployment?invalidate=true), access A2:
        • Expected: we need to authenticate and then receive a new session
        • Actual result: we receive a new session but don't need to authenticate
      Show
      Two servers with a distributable deployment capable of calling Session.invalidate() (FORM auth), clustered single-sign-on, user added A1 = 127.0.0.1:8080/deployment A2 = 127.0.0.2:8180/deployment Access A1, authenticate, access A2 (we still only have a single session - everything distributable), invalidate session on A2 (e.g. calling 127.0.0.1:8180/deployment?invalidate=true), access A2: Expected: we need to authenticate and then receive a new session Actual result: we receive a new session but don't need to authenticate

    Description

      See steps to reproduce for description. Additional scenario with a failover where we don't need to authenticate with the last request (but where we should be required to authenticate):

      • Access A1, authenticate, fail A1 (e.g. shutdown the server), access A2, invalidate session on A2, access A2

      Scenarios where the SSO context is destroyed (where we need to authenticate with the last request as expected):

      • Access A1, authenticate, invalidate session on A1, access A1
      • Access A1, authenticate, access A2, invalidate session on A1, access A1

      Possibly related to JBEAP-1228, JBEAP-1282. Note that we always only have a single session bound to an SSO. I'm not flagging this as a blocker, since the issue usually doesn't manifest thanks to sticky sessions on a load balancer.

      Attachments

        Issue Links

          incorporates

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-1228 Session.invalidate() does not invalidate SSO context for non-distributable applications

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-669 SSO auth should check for the attribute in the session not the result of sso.add

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-976 SingleSignOnAuthenticationMechanism fails to destroy SSO following session invalidation if session was registered with SSO on remote node

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-5932 Invalidating a session of an SSO on a different node than where the session was created does not logout the user

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-794 WARN ISPN000197: Error updating cluster member list at the boot up

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              rjanik@redhat.com Richard Janik
              Richard Janik Richard Janik
              Richard Janik Richard Janik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: