Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5785

[7.1.x] Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.DR5
    • 7.1.0.DR3
    • Undertow
    • Hide
      • start EAP server with <single-sign-on/> enabled and a user added
      • deploy a <distributable/> application with FORM authentication enabled
      • create a request for the deployment and authenticate
      • logout from the application by calling HttpServletRequest.logout()
      • create a request
      • what is expected: you should authenticate for this request
      • what happens: you are still considered authenticated
      • logging out for the second time works as expected
      Show
      start EAP server with <single-sign-on/> enabled and a user added deploy a <distributable/> application with FORM authentication enabled create a request for the deployment and authenticate logout from the application by calling HttpServletRequest.logout() create a request what is expected: you should authenticate for this request what happens: you are still considered authenticated logging out for the second time works as expected

    Description

      This issue has resurfaced with 7.1.0.DR3. It has been previously reported and fixed in 7.0.x.

      See "Steps to Reproduce". Logging out from an application only works every second time, e.g. HttpRequestServlet.logout() has to be called twice in order to have any effect. This doesn't occur without <single-sign-on/> enabled - logout() has the expected effect. The issue is security related, thus I'm adding our security team members as watchers. I suggest blocker priority due to this being related to security, but if you're of different opinion, let's discuss.

      I'm trying to create a test in the WildFly integration testsuite (I hit this in the upstream as well, Jira on the way) but I'm currently failing ([1]). The test I have written is currently passing. I don't know why yet, but either the test is bad or there might be something specific about the issue. The reproducer from JBEAP-1282 still works (in other words, it is failing now that the issue has appeared again).

      [1]: https://github.com/LittleJohnII/wildfly/blob/sso-logout/testsuite/integration/clustering/src/test/java/org/jboss/as/test/clustering/cluster/sso/ClusteredSingleSignOnTestCase.java see testLogoutWithClusteredSSO

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-1282 Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-811 [7.1.x] Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFLY-7019 [11.0.x] Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-5765 Upgrade Undertow from 1.4.0.Final to 1.4.3.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              bstansbe@redhat.com Brian Stansberry
              rjanik@redhat.com Richard Janik
              Richard Janik Richard Janik
              Richard Janik Richard Janik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: