Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5422

SSO is not destroyed after session timeout period of <distributable/> app.

    Details

    • Steps to Reproduce:
      Hide

      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml
      2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" />
      3. Access first application - login/password requested as expected. Login succesfull.
      4. I can access second deployed application as well. - SSO works as expected.
      5. Wait > 1 min

      6a. Non-<distributalble/> application
      Accessing first and second application requires login
      Active session count= 0. [1]
      6b. <distributalble/> application
      Accessing first and second application doesnt require login
      Active session count= 1. [2]

      Show
      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml 2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" /> 3. Access first application - login/password requested as expected. Login succesfull. 4. I can access second deployed application as well. - SSO works as expected. 5. Wait > 1 min 6a. Non-<distributalble/> application Accessing first and second application requires login Active session count= 0. [1] 6b. <distributalble/> application Accessing first and second application doesnt require login Active session count= 1. [2]

      Description

      Using <distributable/> application cause SSO doesnt destroy after session timeout period. Base on [1], there is still active session, what is probably cause that SSO is not destroyed.
      Setting similar in EAP6 requires user to login after session timeout period.

      Setting priority to critical because of regression with security impacts.

      [1]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)

      { "outcome" => "success", "result" => 0 }

      [2]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)

      { "outcome" => "success", "result" => 1 }

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pferraro Paul Ferraro
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: