Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7019

[11.0.x] Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 11.0.0.Alpha1
    • 11.0.0.Alpha1
    • Web (Undertow)
    • None
    • Hide
      • start EAP server with <single-sign-on/> enabled and a user added
      • deploy a <distributable/> application with FORM authentication enabled
      • create a request for the deployment and authenticate
      • logout from the application by calling HttpServletRequest.logout()
      • create a request
      • what is expected: you should authenticate for this request
      • what happens: you are still considered authenticated
      • logging out for the second time works as expected
      Show
      start EAP server with <single-sign-on/> enabled and a user added deploy a <distributable/> application with FORM authentication enabled create a request for the deployment and authenticate logout from the application by calling HttpServletRequest.logout() create a request what is expected: you should authenticate for this request what happens: you are still considered authenticated logging out for the second time works as expected

      This issue has resurfaced with 11.0.0.Alpha1-SNAPSHOT. It has been previously reported and fixed in 10.1.0.Final.

      See "Steps to Reproduce". Logging out from an application only works every second time, e.g. HttpRequestServlet.logout() has to be called twice in order to have any effect. This doesn't occur without <single-sign-on/> enabled - logout() has the expected effect. I'm adding our security team members as watchers.

      I'm trying to create a test in the WildFly integration testsuite, but I'm currently failing ([1]). The test I have written is currently passing. I don't know why yet, but either the test is bad or there might be something specific about the issue. The reproducer from JBEAP-1282 still works (in other words, it is failing now that the issue has appeared again).

      [1]: https://github.com/LittleJohnII/wildfly/blob/sso-logout/testsuite/integration/clustering/src/test/java/org/jboss/as/test/clustering/cluster/sso/ClusteredSingleSignOnTestCase.java see testLogoutWithClusteredSSO

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              rjanik@redhat.com Richard Janik
              Richard Janik Richard Janik
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: