5:27 p.m.
I'm running into a problem implementing SAML backchannel logout. Web
server could receive an on-of-band, non-browser HTTP request to logout
out a specific user and/or session. I would need a way to lookup a
session by Principal and a way to associate and lookup an external key.
SAML doesn't really have any way to push client specific session
information.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:44 p.m.
I should add that SAML provides a "session index" to the web client when
LOGIN is finished. This index is sent with the logout request along
with the principal name.
The only way I could think of to implement it now is to iterate on all
sessions and compare SAML session info with attributes in each session.
Slow, but it would work. Would be nice to have an Undertow SPI.
Otherwise, I'm going to have to create a Infinispan cache specifically
just to map
On 9/14/2015 11:27 AM, Bill Burke wrote:
I'm running into a problem implementing SAML backchannel logout.
Web
server could receive an on-of-band, non-browser HTTP request to logout
out a specific user and/or session. I would need a way to lookup a
session by Principal and a way to associate and lookup an external key.
SAML doesn't really have any way to push client specific session
information.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:22 a.m.
I don't think there is much Undertow can do here, because this is clustered it is
basically out of Undertow's control.
For a non clustered version you can just maintain your own map using session listeners,
however like you say for the clustered version if you want to maintain this sort of map
you will need to create an Infinispan cache to handle the mapping.
When you mentioned an Undertow SPI what exactly did you have in mind? Some way to query
the session manager based on session attributes?
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: undertow-dev(a)lists.jboss.org
Sent: Tuesday, 15 September, 2015 1:44:22 AM
Subject: Re: [undertow-dev] backchannel logout in cluster
I should add that SAML provides a "session index" to the web client when
LOGIN is finished. This index is sent with the logout request along
with the principal name.
The only way I could think of to implement it now is to iterate on all
sessions and compare SAML session info with attributes in each session.
Slow, but it would work. Would be nice to have an Undertow SPI.
Otherwise, I'm going to have to create a Infinispan cache specifically
just to map
On 9/14/2015 11:27 AM, Bill Burke wrote:
> I'm running into a problem implementing SAML backchannel logout. Web
> server could receive an on-of-band, non-browser HTTP request to logout
> out a specific user and/or session. I would need a way to lookup a
> session by Principal and a way to associate and lookup an external key.
> SAML doesn't really have any way to push client specific session
> information.
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
3:12 p.m.
On 9/14/2015 6:22 PM, Stuart Douglas wrote:
I don't think there is much Undertow can do here, because this is
clustered it is basically out of Undertow's control.
For a non clustered version you can just maintain your own map using session listeners,
however like you say for the clustered version if you want to maintain this sort of map
you will need to create an Infinispan cache to handle the mapping.
When you mentioned an Undertow SPI what exactly did you have in mind? Some way to query
the session manager based on session attributes?
A Hack I thought of was to create an Http Session that is shared by all
requests and machines or clone the existing http session and change the
session id to an SSO session id provided by the IdP. Undertow doesn't
have a way to provide your own session id though when creating sessions.
(Jetty doesn't either, only Tomcat/JBossWeb allow this).
Better extensions to Undertow session manager would be:
* Ability to associate an alias to an http session. i.e. an SSO session ID.
* or the ability to replace the http session id, with a new one. i.e.
after authentication, replace the local http session id, with the SSO
session id
* Additionally, the ability to index http sessions (or session ids) by
principal or principal name.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:49 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Tuesday, 15 September, 2015 11:12:59 PM
Subject: Re: [undertow-dev] backchannel logout in cluster
On 9/14/2015 6:22 PM, Stuart Douglas wrote:
> I don't think there is much Undertow can do here, because this is clustered
> it is basically out of Undertow's control.
>
> For a non clustered version you can just maintain your own map using
> session listeners, however like you say for the clustered version if you
> want to maintain this sort of map you will need to create an Infinispan
> cache to handle the mapping.
>
> When you mentioned an Undertow SPI what exactly did you have in mind? Some
> way to query the session manager based on session attributes?
>
A Hack I thought of was to create an Http Session that is shared by all
requests and machines or clone the existing http session and change the
session id to an SSO session id provided by the IdP. Undertow doesn't
have a way to provide your own session id though when creating sessions.
(Jetty doesn't either, only Tomcat/JBossWeb allow this).
We don't have a documented way, but if you pass in a SessionConfig implementation that
returns a constant value for findSessionId
to the createSession method then this session id will be used for the new session.
This is obviously a hack though, and I will look at adding a new method that supports this
directly.
Better extensions to Undertow session manager would be:
* Ability to associate an alias to an http session. i.e. an SSO session ID.
* or the ability to replace the http session id, with a new one. i.e.
after authentication, replace the local http session id, with the SSO
session id
I can do this one as well.
* Additionally, the ability to index http sessions (or session ids)
by
principal or principal name.
Would you still need this indexing if I give you control over the session ID?
Stuart
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:41 p.m.
On 9/15/2015 8:49 PM, Stuart Douglas wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stuart Douglas" <sdouglas(a)redhat.com>
> Cc: undertow-dev(a)lists.jboss.org
> Sent: Tuesday, 15 September, 2015 11:12:59 PM
> Subject: Re: [undertow-dev] backchannel logout in cluster
>
>
>
> On 9/14/2015 6:22 PM, Stuart Douglas wrote:
>> I don't think there is much Undertow can do here, because this is clustered
>> it is basically out of Undertow's control.
>>
>> For a non clustered version you can just maintain your own map using
>> session listeners, however like you say for the clustered version if you
>> want to maintain this sort of map you will need to create an Infinispan
>> cache to handle the mapping.
>>
>> When you mentioned an Undertow SPI what exactly did you have in mind? Some
>> way to query the session manager based on session attributes?
>>
>
> A Hack I thought of was to create an Http Session that is shared by all
> requests and machines or clone the existing http session and change the
> session id to an SSO session id provided by the IdP. Undertow doesn't
> have a way to provide your own session id though when creating sessions.
> (Jetty doesn't either, only Tomcat/JBossWeb allow this).
We don't have a documented way, but if you pass in a SessionConfig implementation
that returns a constant value for findSessionId
to the createSession method then this session id will be used for the new session.
This is obviously a hack though, and I will look at adding a new method that supports
this directly.
>
> Better extensions to Undertow session manager would be:
> * Ability to associate an alias to an http session. i.e. an SSO session ID.
> * or the ability to replace the http session id, with a new one. i.e.
> after authentication, replace the local http session id, with the SSO
> session id
I can do this one as well.
> * Additionally, the ability to index http sessions (or session ids) by
> principal or principal name.
Would you still need this indexing if I give you control over the session ID?
Sometimes a logout request just has the principal, it doesn't have to
have an SSO session id. Would it be hard to add the ability to index
the session with any arbitrary string key? Of course, all this indexing
is only useful and id replacement is only useful if any node in the
cluster can lookup and invalidate a session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:55 p.m.
Adding Paul.
For our in memory session manager it is relatively simple. From a clustering POV though I
think that this will end up being a case of Wildfly doing the same book keeping that you
would do otherwise, although Paul is the expert.
Either way this will be an API change that needs to go into the next version of Undertow
(so it will miss WF10, but may make EAP7).
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Wednesday, 16 September, 2015 10:41:41 PM
Subject: Re: [undertow-dev] backchannel logout in cluster
On 9/15/2015 8:49 PM, Stuart Douglas wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stuart Douglas" <sdouglas(a)redhat.com>
>> Cc: undertow-dev(a)lists.jboss.org
>> Sent: Tuesday, 15 September, 2015 11:12:59 PM
>> Subject: Re: [undertow-dev] backchannel logout in cluster
>>
>>
>>
>> On 9/14/2015 6:22 PM, Stuart Douglas wrote:
>>> I don't think there is much Undertow can do here, because this is
>>> clustered
>>> it is basically out of Undertow's control.
>>>
>>> For a non clustered version you can just maintain your own map using
>>> session listeners, however like you say for the clustered version if you
>>> want to maintain this sort of map you will need to create an Infinispan
>>> cache to handle the mapping.
>>>
>>> When you mentioned an Undertow SPI what exactly did you have in mind?
>>> Some
>>> way to query the session manager based on session attributes?
>>>
>>
>> A Hack I thought of was to create an Http Session that is shared by all
>> requests and machines or clone the existing http session and change the
>> session id to an SSO session id provided by the IdP. Undertow doesn't
>> have a way to provide your own session id though when creating sessions.
>> (Jetty doesn't either, only Tomcat/JBossWeb allow this).
>
> We don't have a documented way, but if you pass in a SessionConfig
> implementation that returns a constant value for findSessionId
> to the createSession method then this session id will be used for the new
> session.
>
> This is obviously a hack though, and I will look at adding a new method
> that supports this directly.
>
>>
>> Better extensions to Undertow session manager would be:
>> * Ability to associate an alias to an http session. i.e. an SSO session
>> ID.
>> * or the ability to replace the http session id, with a new one. i.e.
>> after authentication, replace the local http session id, with the SSO
>> session id
>
> I can do this one as well.
>
>> * Additionally, the ability to index http sessions (or session ids) by
>> principal or principal name.
>
> Would you still need this indexing if I give you control over the session
> ID?
>
Sometimes a logout request just has the principal, it doesn't have to
have an SSO session id. Would it be hard to add the ability to index
the session with any arbitrary string key? Of course, all this indexing
is only useful and id replacement is only useful if any node in the
cluster can lookup and invalidate a session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3 p.m.
If its not in EAP7 then the change isn't worth it.
On 9/16/2015 8:55 AM, Stuart Douglas wrote:
Adding Paul.
For our in memory session manager it is relatively simple. From a clustering POV though I
think that this will end up being a case of Wildfly doing the same book keeping that you
would do otherwise, although Paul is the expert.
Either way this will be an API change that needs to go into the next version of Undertow
(so it will miss WF10, but may make EAP7).
Stuart
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stuart Douglas" <sdouglas(a)redhat.com>
> Cc: undertow-dev(a)lists.jboss.org
> Sent: Wednesday, 16 September, 2015 10:41:41 PM
> Subject: Re: [undertow-dev] backchannel logout in cluster
>
>
>
> On 9/15/2015 8:49 PM, Stuart Douglas wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stuart Douglas" <sdouglas(a)redhat.com>
>>> Cc: undertow-dev(a)lists.jboss.org
>>> Sent: Tuesday, 15 September, 2015 11:12:59 PM
>>> Subject: Re: [undertow-dev] backchannel logout in cluster
>>>
>>>
>>>
>>> On 9/14/2015 6:22 PM, Stuart Douglas wrote:
>>>> I don't think there is much Undertow can do here, because this is
>>>> clustered
>>>> it is basically out of Undertow's control.
>>>>
>>>> For a non clustered version you can just maintain your own map using
>>>> session listeners, however like you say for the clustered version if you
>>>> want to maintain this sort of map you will need to create an Infinispan
>>>> cache to handle the mapping.
>>>>
>>>> When you mentioned an Undertow SPI what exactly did you have in mind?
>>>> Some
>>>> way to query the session manager based on session attributes?
>>>>
>>>
>>> A Hack I thought of was to create an Http Session that is shared by all
>>> requests and machines or clone the existing http session and change the
>>> session id to an SSO session id provided by the IdP. Undertow doesn't
>>> have a way to provide your own session id though when creating sessions.
>>> (Jetty doesn't either, only Tomcat/JBossWeb allow this).
>>
>> We don't have a documented way, but if you pass in a SessionConfig
>> implementation that returns a constant value for findSessionId
>> to the createSession method then this session id will be used for the new
>> session.
>>
>> This is obviously a hack though, and I will look at adding a new method
>> that supports this directly.
>>
>>>
>>> Better extensions to Undertow session manager would be:
>>> * Ability to associate an alias to an http session. i.e. an SSO session
>>> ID.
>>> * or the ability to replace the http session id, with a new one. i.e.
>>> after authentication, replace the local http session id, with the SSO
>>> session id
>>
>> I can do this one as well.
>>
>>> * Additionally, the ability to index http sessions (or session ids) by
>>> principal or principal name.
>>
>> Would you still need this indexing if I give you control over the session
>> ID?
>>
>
> Sometimes a logout request just has the principal, it doesn't have to
> have an SSO session id. Would it be hard to add the ability to index
> the session with any arbitrary string key? Of course, all this indexing
> is only useful and id replacement is only useful if any node in the
> cluster can lookup and invalidate a session.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:14 p.m.
Hi,
On Wed, Sep 16, 2015 at 3:00 PM, Bill Burke <bburke(a)redhat.com> wrote:
If its not in EAP7 then the change isn't worth it.
Speaking of which, any tentative plan for an EAP7 release date? Given
the release date target of WF10 towards the end of this year, and
assuming EAP7 directly follows EAP7 (i.e. no WF11 before that), would
a mid 2016 release be realistic?
Arjan
p.s.
Following this thread to see if it's anything that the Security JSR
could help with, but as clustering itself is not specified in Java EE
this may be hard.
3145
days inactive
3147
days old
8 comments
3 participants
participants (3)
-
arjan tijms -
Bill Burke -
Stuart Douglas