[jboss-jira] [JBoss JIRA] (AS7-5728) ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout

[ https://issues.jboss.org/browse/AS7-5728?page=com.atlassian.jira.plugin.s... ] Stian Thorgersen updated AS7-5728: ---------------------------------- Steps to Reproduce: Edit standalone-ha.xml, replace: {code} <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem> {code} with: {code} <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> <sso cache-container="web" cache-name="sso" reauthenticate="false"/> </virtual-server> </subsystem> {code} Add an application user that belongs to group "guest" with "bin/adduser.sh" Start the server with "bin/standalone.sh --server-config=standalone-ha.xml". Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/se... Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second) Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster. The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout). was: Edit standalone-ha.xml, replace: {code} <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem> {code} with: {code} <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> <sso cache-container="web" cache-name="sso" reauthenticate="false"/> </virtual-server> </subsystem> {code} Add a application user that belongs to group "guest" with "bin/adduser.sh" Start the server with "bin/standalone.sh --server-config=standalone-ha.xml". Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/se... Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second) Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster. The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira