[jboss-jira] [JBoss JIRA] (AS7-5728) ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout

Stian Thorgersen (JIRA) jira-events at lists.jboss.org
Thu Oct 11 06:44:03 EDT 2012 

     [ https://issues.jboss.org/browse/AS7-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stian Thorgersen updated AS7-5728:
----------------------------------

    Steps to Reproduce: 
Edit standalone-ha.xml, replace:

{code}
        <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>
{code}

with:

{code}
        <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <sso cache-container="web" cache-name="sso" reauthenticate="false"/>
            </virtual-server>
        </subsystem>
{code}

Add an application user that belongs to group "guest" with "bin/adduser.sh"

Start the server with "bin/standalone.sh --server-config=standalone-ha.xml".

Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security

Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second)

Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster.

The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).

  was:
Edit standalone-ha.xml, replace:

{code}
        <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>
{code}

with:

{code}
        <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <sso cache-container="web" cache-name="sso" reauthenticate="false"/>
            </virtual-server>
        </subsystem>
{code}

Add a application user that belongs to group "guest" with "bin/adduser.sh"

Start the server with "bin/standalone.sh --server-config=standalone-ha.xml".

Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security

Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second)

Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster.

The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).


    
> ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout
> -----------------------------------------------------------------------------
>
>                 Key: AS7-5728
>                 URL: https://issues.jboss.org/browse/AS7-5728
>             Project: Application Server 7
>          Issue Type: Bug
>    Affects Versions: 7.1.3.Final (EAP)
>            Reporter: Stian Thorgersen
>         Attachments: jboss-as-servlet-security.war
>
>
> Logging out a user with Request.logout doesn't work with clustered SSO. This is caused by ClusteredSingleSignOn.deregister(String) not removing the ssoId from the SSO cluster. The ClusteredSingleSignOn.sessionEvent removes it from both the local cache and the SSO cluster, so a workaround is to call Session.invalidate() prior to calling Request.logout().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list