]
Darran Lofthouse edited comment on ELY-2074 at 1/29/21 5:43 AM:
----------------------------------------------------------------
The following is where we receive a notification about session invalidation which triggers
the logout process:
[
]
We likely can just ignore the notification if it is for an undeployment, if this was the
only node then there is nothing to clean up anyway but if there are other nodes we should
assume the SSO session at least will fail over. (Should double check this, the undeploy
could be a management op but the server stays up - we may still need to clean up local
state).
was (Author: dlofthouse):
The following is where we receive a notification about session invalidation which triggers
the logout process:
[
]
We likely can just ignore the notification if it is for an undeployment, if this was the
only node then there is nothing to clean up anyway but if there are other nodes we should
assume the SSO session at least will fail over.
SSO from FORM authentication required a distributed session
-----------------------------------------------------------
Key: ELY-2074
URL:
https://issues.redhat.com/browse/ELY-2074
Project: WildFly Elytron
Issue Type: Bug
Components: HTTP
Affects Versions: 1.14.1.Final
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Priority: Major
Fix For: 1.14.2.CR1
Presently SSO only works on failover if also have a distributed HTTP session.
The SSO support is supposed to be operating independently of the session otherwise we
should have just used the session to replicate the identity. I suspect that when we
attempt to restore the identity we check if we have a session scope but as it does not
exist we skip attempting the restoration, we should be open to restoration being possible
without a session.
Overall however it feels like this approach will require some clean up which may be
needed for ELY-1626 - instead of the current approach which intercepts session access and
converts to SSO we may be better making SSO a real scope or something similar so
mechanisms can interact directly with it. The approach today where we wrap the scope
access and intercept the calls means mechanisms can easily make invalid assumptions about
scope availability such as in this case.
The following TRACE logging shows a successful failover where a web application is marked
as being distributed:
{code:java}
2021-01-26 11:01:34,120 TRACE [org.wildfly.security.http.servlet] (default task-1)
Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true,
applicationContext=default-host /simple-webapp
2021-01-26 11:01:34,121 TRACE [org.wildfly.security.http.servlet] (default task-1) No
AuthConfigProvider for layer=HttpServlet, appContext=default-host /simple-webapp
2021-01-26 11:01:34,121 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC
Unavailable, using HTTP authentication.
2021-01-26 11:01:34,158 TRACE [org.wildfly.security] (default task-1) No CachedIdentity
to restore.
2021-01-26 11:01:34,158 TRACE [org.wildfly.security] (default task-1) Created
HttpServerAuthenticationMechanism
[org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@4b6842ff] for
mechanism [FORM]
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Handling
SocketAddressCallback
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Handling
MechanismInformationCallback type='HTTP' name='FORM'
host-name='localhost' protocol='http'
2021-01-26 11:01:34,160 TRACE [org.wildfly.security.http.form] (default task-1) Trying to
re-authenticate session 3t7EGcnmInMeUYH3-thjyQpTyOanRdoX3Dm-BcS6. Request URI:
[
http://localhost:8080/simple-webapp/secured], Context path: [/simple-webapp]
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Principal
assigning: [alice], pre-realm rewritten: [alice], realm name: [example-realm], post-realm
rewritten: [alice], realm rewritten: [alice]
2021-01-26 11:01:34,165 TRACE [org.wildfly.security] (default task-1) Role mapping:
principal [alice] -> decoded roles [Users, user] -> domain decoded roles [] ->
realm mapped roles [Users, user] -> domain mapped roles [Users, user]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing
principal alice.
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing against
the following attributes: [groups] => [user, Users]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing against
the following runtime attributes: [Source-Address] => [127.0.0.1]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Permission mapping:
identity [alice] with roles [Users, user] implies
("org.wildfly.security.auth.permission.LoginPermission" "") = true
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorization
succeed
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Handling
CachedIdentityAuthorizeCallback: principal = alice authorizedIdentity =
SecurityIdentity{principal=alice,
securityDomain=org.wildfly.security.auth.server.SecurityDomain@61f54c5f,
authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='example-realm',
securityRealm=org.wildfly.security.auth.realm.FileSystemSecurityRealm@78079856},
creationTime=2021-01-26T11:01:34.165503Z}
2021-01-26 11:01:34,167 TRACE [org.wildfly.security] (default task-1) Handling
AuthenticationCompleteCallback: succeed
2021-01-26 11:01:34,167 TRACE [org.wildfly.security] (default task-1) Handling
SecurityIdentityCallback: identity = SecurityIdentity{principal=alice,
securityDomain=org.wildfly.security.auth.server.SecurityDomain@61f54c5f,
authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='example-realm',
securityRealm=org.wildfly.security.auth.realm.FileSystemSecurityRealm@78079856},
creationTime=2021-01-26T11:01:34.165503Z}
2021-01-26 11:01:34,168 TRACE [org.wildfly.security] (default task-1) Role mapping:
principal [alice] -> decoded roles [Users, user] -> domain decoded roles [] ->
realm mapped roles [Users, user] -> domain mapped roles [Users, user] {code}
Where the web application is not distributed the following is logged instead:
{code:java}
2021-01-26 11:26:14,189 INFO [org.infinispan.CLUSTER] (thread-10,ejb,nodea) ISPN100001:
Node nodeb left the cluster
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1)
Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true,
applicationContext=default-host /simple-webapp
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1) No
AuthConfigProvider for layer=HttpServlet, appContext=default-host /simple-webapp
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC
Unavailable, using HTTP authentication.
2021-01-26 11:26:59,402 TRACE [org.wildfly.security] (default task-1) No CachedIdentity
to restore.
2021-01-26 11:26:59,402 TRACE [org.wildfly.security] (default task-1) Created
HttpServerAuthenticationMechanism
[org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@71dc2149] for
mechanism [FORM]
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling
SocketAddressCallback
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling
MechanismInformationCallback type='HTTP' name='FORM'
host-name='localhost' protocol='http'
2021-01-26 11:26:59,404 TRACE [org.wildfly.security.http.form] (default task-1) Trying to
re-authenticate. There is no session attached to the following request. Request URI:
[
http://localhost:8080/simple-webapp/secured], Context path: [/simple-webapp]
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling
CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null {code}