<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
        {margin-top:0;
        margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hello, Stuart.</p>
<p><br>
</p>
<p>First of all, thank you for your suggestion.</p>
<p>Second, sorry for my lack of feedback, I've being away from this task in the last days.</p>
<p><br>
</p>
<p>I did as you said, but I've had no success yet.</p>
<p>Setting changeSessionIdOnLogin to false, avoids the first attempt to create a new session, in CachedAuthenticatedSessionHandler class. But just after that, session will be created, and of course, with a new session id.</p>
<p><br>
</p>
<p>If I also set cacheable to false, when invoking authenticationComplete, so no session will be created<span style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px"> at
all</span>. But somehow, the authentication mechanism enters in a loop even with my AuthenticationMechanism returning AUTHENTICATED.</p>
<p><br>
</p>
<p>It seems that I am unable to finish my authentication without an instance of HttpSession created, is this expected?</p>
<p><br>
</p>
<p>What else could I do? </p>
<p><br>
</p>
<div id="x_Signature">_______________<br>
Vinicius Kopcheski<br>
</div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>De:</b> Stuart Douglas <sdouglas@redhat.com><br>
<b>Enviado:</b> segunda-feira, 3 de outubro de 2016 18:28:01<br>
<b>Para:</b> Vinicius F. Kopcheski<br>
<b>Cc:</b> undertow-dev@lists.jboss.org<br>
<b>Assunto:</b> Re: [undertow-dev] Legacy SSO system integration</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Can you try setting<br>
'io.undertow.servlet.api.DeploymentInfo#changeSessionIdOnLogin' to<br>
false? By default Undertow will generate a new session ID when you<br>
authenticate as a precaution.<br>
<br>
Stuart<br>
<br>
On Tue, Oct 4, 2016 at 8:19 AM, Vinicius F. Kopcheski<br>
<viniciusfk@hotmail.com> wrote:<br>
> Hello,<br>
><br>
><br>
> I'm working to integrate a legacy SSO system with undertow (Wildfly 10), and<br>
> this SSO is also used with JBoss 4 and 6.<br>
><br>
><br>
> Its strategy is to share the same JSESSIONID between all the applications<br>
> running inside all those servers.<br>
><br>
><br>
> In my custom Authentication Mechanism, I retrieve the session id that will<br>
> be used for this session, but just after invoking<br>
> SecurityContext#authenticationComplete, a new session is created, which<br>
> takes me to have two session cookies. I mean, they both are named<br>
> JSESSIONID.<br>
><br>
><br>
> I could find a way to remove this one created by undertow, but I'm not sure<br>
> this is the best approach.<br>
><br>
><br>
> What do you suggest me to do is this scenario?<br>
><br>
><br>
> _______________<br>
> Vinicius Kopcheski<br>
><br>
> _______________________________________________<br>
> undertow-dev mailing list<br>
> undertow-dev@lists.jboss.org<br>
> <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
</div>
</span></font>
</body>
</html>