ClusteredSingleSignOn cannot handle cross-context apps with same session id
---------------------------------------------------------------------------
Key: JBAS-5609
URL:
http://jira.jboss.com/jira/browse/JBAS-5609
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Clustering, Web (Tomcat) service
Affects Versions: JBossAS-5.0.0.Beta4, JBossAS-4.2.2.GA, JBossAS-4.2.1.GA,
JBossAS-4.2.0.GA, JBossAS-4.0.5.GA
Reporter: Brian Stansberry
Assigned To: Brian Stansberry
Fix For: JBossAS-5.0.0.CR2
The representation of a session in an SSO in the clustered cache is done with a simple
data object that encapsulates the session id and the address of the node where the session
was active. This doesn't properly handle the case where multiple sessions using the
same session id but with different webapps are associated with the sso. This kind of
thing is common due to the use of the emptySessionPath="true" flag on the
connectors in server.xml.
A fix will involve storing the hostname and the context path along with the session id.
Note that the 4.x branch TreeCacheSSOClusterManager.SessionAddress class cannot have its
serialization characteristics changed, so the hostname/context path will need to be
prepended to the existing sessionId field.
In AS 5 this information now forms part of a JBC FQN, so fix will be a bit different.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira