[jboss-user] [Security & JAAS/JBoss] - JBoss SSO: App with multiple style sheets/javascript files c
waltbarrow
do-not-reply at jboss.com
Wed Jul 30 16:20:19 EDT 2008
Hello,
I could use some help with a problem I have discovered with JBoss-SSO.
I am using JBoss-SSO version 1.0CR1 and I am running a JSF application, using JASS, form-based security, which loads multiple CSS and JAVASCRIPT files for each page displayed. I use an IE-6.0 browser and am urunning JBoss locally on my Windows XP machine.
The problem is that when I have SSO configured and I try to log into the application, invariably one of the CSS or JAVASCRIPT files do not get loaded properly.
I build the SSO JAR and SAR files from scratch using the SSO code, so I am able to instrument the code with log statements to see what is happening. It appears that after form-authentication, there follow multiple requests from the browser to load the CSS and JAVASCRIPT files. Unfortunately, these requests only have the authenticated Principal in them and, even though SSO has generated the SSO_TOKEN, these requests do not contain it.
I presume that IE has sent a batch of requests off to the server while trying to load the first page of the application.
What I notice is that the first CSS request causes the SSO_TOKEN to be generated and monitoring of the SSO session to start. When the second CSS request arrives, since it does not contain the SSO_TOKEN and the SSO session thinks monitoring is active, the code performs a forced-logout, essentially throwing away the CSS request.
The next request, which contains the authenticated Principal, seems to work and the cycle starts over, again. When it's all done, I'm not sure of the state of the application from a security point-of-view.
I have included a snippet of the log file showing the sequence of events as they happened. Unfortunately, some of the events overlap in time and log4j jumbles the output a bit.
Is this a problem with the design of the SSO code or am I missing something? Any help anyone can give me will be greatly appreciated.
Thanks!
Walt Barrow
walter.barrow at afscn.com
Log snippet:
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/faces/index.jsp
DEBUG [org.jboss.security.valve.SSOSession] ********** Creating new SSOSession
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: false
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: true
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] ********** ssoToken is invalid
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Did NOT find principal
DEBUG [org.jboss.security.valve.SSOTokenManager] Extracting domain from serverName: test.l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] Domain found is: .l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/css/schemePDM.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Did NOT find principal
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/images/Cogs_background.gif
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Did NOT find principal
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/faces/j_security_check
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
INFO [com.itapps.common.sso.login.CustomLdapLoginModule] ********** calling super.login()
INFO [com.itapps.common.sso.login.CustomLdapLoginModule] ********** validatePassword called
INFO [com.itapps.common.sso.login.CustomLdapLoginModule] ********** calling super.validatePassword()
INFO [com.itapps.common.sso.login.CustomLdapLoginModule] ********** login was successful
INFO [com.itapps.common.sso.login.CustomLdapLoginProvider] ********** Reading identity
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Did NOT find principal
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/faces/index.jsp
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/css/schemePDM.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] ********** setting principal on SSOSession
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Found principal
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookie NOT found
DEBUG [org.jboss.security.valve.SSOTokenManager] Extracting domain from serverName: test.l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] Domain found is: .l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] ********** Creating SSOToken: token
DEBUG [org.jboss.security.valve.SSOSession] ?????????? setting monitor to true
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/css/menuComponent.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ********** forced logout, user logged out in different partner site
DEBUG [org.jboss.security.valve.SSOAutoLogout] contextPath: /pdapp
DEBUG [org.jboss.security.valve.SSOAutoLogout] requestContext: /pdapp
DEBUG [org.jboss.security.valve.SSOAutoLogout] ********** performing signout: /pdapp/faces/logout.jsp?target=%2Fpdapp%2Fcss%2FmenuComponent.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke(2)
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/css/dateTimeComponent.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] ********** setting principal on SSOSession
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Found principal
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookie NOT found
DEBUG [org.jboss.security.valve.SSOTokenManager] Extracting domain from serverName: test.l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] Domain found is: .l3database.com
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Found principal
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookie NOT found
DEBUG [org.jboss.security.valve.SSOTokenManager] Extracting domain from serverName: test.l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] Domain found is: .l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] ********** Creating SSOToken: token
DEBUG [org.jboss.security.valve.SSOSession] ?????????? setting monitor to true
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/javascript/menuComponent.js
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ********** forced logout, user logged out in different partner site
DEBUG [org.jboss.security.valve.SSOAutoLogout] contextPath: /pdapp
DEBUG [org.jboss.security.valve.SSOAutoLogout] requestContext: /pdapp
DEBUG [org.jboss.security.valve.SSOAutoLogout] ********** performing signout: /pdapp/faces/logout.jsp?target=%2Fpdapp%2Fjavascript%2FmenuComponent.js
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke(2)
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOTokenManager] ********** Creating SSOToken: token
DEBUG [org.jboss.security.valve.SSOSession] ?????????? setting monitor to true
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout] ######################################################################
DEBUG [org.jboss.security.valve.SSOAutoLogout] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] Request URL: /pdapp/css/print.css
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOSession found: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOAutoLogout] Monitoring: true
DEBUG [org.jboss.security.valve.SSOAutoLogout] ********** forced logout, user logged out in different partner site
DEBUG [org.jboss.security.valve.SSOAutoLogout] contextPath: null
DEBUG [org.jboss.security.valve.SSOAutoLogout] requestContext: /pdapp
DEBUG [org.jboss.security.valve.SSOAutoLogout] Invoking next valve (SSOTokenManager)
DEBUG [org.jboss.security.valve.SSOTokenManager] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] SSOToken found: true
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookieFound: false
DEBUG [org.jboss.security.valve.SSOTokenManager] Invoking next valve (SSOAutoLogin)
DEBUG [org.jboss.security.valve.SSOAutoLogin] --------------------------------------------------> invoke
DEBUG [org.jboss.security.valve.SSOAutoLogin] ********** setting principal on SSOSession
DEBUG [org.jboss.security.valve.SSOAutoLogin] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOTokenManager] Found principal
DEBUG [org.jboss.security.valve.SSOTokenManager] ssoCookie NOT found
DEBUG [org.jboss.security.valve.SSOTokenManager] Extracting domain from serverName: test.l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] Domain found is: .l3database.com
DEBUG [org.jboss.security.valve.SSOTokenManager] ********** Creating SSOToken: token
DEBUG [org.jboss.security.valve.SSOSession] ?????????? setting monitor to true
DEBUG [org.jboss.security.valve.SSOTokenManager] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout] <-------------------------------------------------- invoke
DEBUG [org.jboss.security.valve.SSOAutoLogout]
DEBUG [org.jboss.security.valve.SSOAutoLogout]
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167738#4167738
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4167738
More information about the jboss-user
mailing list