[
https://issues.jboss.org/browse/WFLY-5422?page=com.atlassian.jira.plugin....
]
Stuart Douglas reassigned WFLY-5422:
------------------------------------
Steps to Reproduce:
1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked
<distributalble/> in web.xml
2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on
path="/" />
3. Access first application - login/password requested as expected. Login succesfull.
4. I can access second deployed application as well. - SSO works as expected.
5. Wait > 1 min
6a. Non-<distributalble/> application
Accessing first and second application requires login
Active session count= 0. [1]
6b. <distributalble/> application
Accessing first and second application doesnt require login
Active session count= 1. [2]
was:
1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked
<distributalble/> in web.xml
2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on
path="/" />
3. Access first application - login/password requested as expected. Login succesfull.
4. I can access second deployed application as well. - SSO works as expected.
5. Wait > 1 min
6a. Non-<distributalble/> application
Accessing first and second application requires login
Active session count= 0. [1]
6b. <distributalble/> application
Accessing first and second application doesnt require login
Active session count= 1. [2]
Assignee: Paul Ferraro (was: Stuart Douglas)
The root cause if this is that the clustering subsystem does not implement the Undertow
SessionManager contract correctly. In particular on timeout it just directly invokes the
servlet HttpSessionListener implementations, but ignores any Undertow SessionListener
implementations that are registered with DistributableSessionManager. As the SSO impl uses
these listeners the SSO session never expires.
SSO is not destroyed after session timeout period of
<distributable/> app.
--------------------------------------------------------------------------
Key: WFLY-5422
URL:
https://issues.jboss.org/browse/WFLY-5422
Project: WildFly
Issue Type: Bug
Components: Clustering, Security
Affects Versions: 10.0.0.CR2
Reporter: Martin Choma
Assignee: Paul Ferraro
Priority: Critical
Using <distributable/> application cause SSO doesnt destroy after session timeout
period. Base on [1], there is still active session, what is probably cause that SSO is not
destroyed.
Setting similar in EAP6 requires user to login after session timeout period.
Setting priority to critical because of regression with security impacts.
[1]
[standalone@localhost:9990 /]
/deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
{
"outcome" => "success",
"result" => 0
}
[2]
[standalone@localhost:9990 /]
/deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
{
"outcome" => "success",
"result" => 1
}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)