Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5422

SSO is not destroyed after session timeout period of <distributable/> app.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 10.0.0.CR5
    • 10.0.0.CR2
    • Clustering, Security
    • None
    • Hide

      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml
      2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" />
      3. Access first application - login/password requested as expected. Login succesfull.
      4. I can access second deployed application as well. - SSO works as expected.
      5. Wait > 1 min

      6a. Non-<distributalble/> application
      Accessing first and second application requires login
      Active session count= 0. [1]
      6b. <distributalble/> application
      Accessing first and second application doesnt require login
      Active session count= 1. [2]

      Show
      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml 2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" /> 3. Access first application - login/password requested as expected. Login succesfull. 4. I can access second deployed application as well. - SSO works as expected. 5. Wait > 1 min 6a. Non-<distributalble/> application Accessing first and second application requires login Active session count= 0. [1] 6b. <distributalble/> application Accessing first and second application doesnt require login Active session count= 1. [2]

    Description

      Using <distributable/> application cause SSO doesnt destroy after session timeout period. Base on [1], there is still active session, what is probably cause that SSO is not destroyed.
      Setting similar in EAP6 requires user to login after session timeout period.

      Setting priority to critical because of regression with security impacts.

      [1]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
      {
      "outcome" => "success",
      "result" => 0
      }
      [2]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
      {
      "outcome" => "success",
      "result" => 1
      }

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-1128 SSO is not destroyed after session timeout period of <distributable/> app.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: