[jboss-jira] [JBoss JIRA] (WFLY-986) JBoss Web SingleSignOn valve does not work with <distributable/> apps

Lionel Orellana (JIRA) issues at jboss.org
Fri Nov 7 00:01:33 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13018119#comment-13018119 ] 

Lionel Orellana edited comment on WFLY-986 at 11/7/14 12:01 AM:
----------------------------------------------------------------

The <distributable/> tag causes the session to be passivated and on passivation the SSO Valve removes the session from the sso entry (sessionEvent method in SingleSignOn.java line 333). With the session removed from the sso entry it doesn't get invalidated when you logout. Not sure why the session needs to be removed from the sso entry on passivation.
 
SingleSignOne.java around line 333:

|| 
if (((session.getMaxInactiveInterval() > 0)  
        && (System.currentTimeMillis() - session.getLastAccessedTimeInternal() >=  
            session.getMaxInactiveInterval() * 1000))   
        | | (Session.SESSION_PASSIVATED_EVENT.equals(event.getType()))) {  
removeSession(ssoId, session);  

As far as I'm concerned removing the passivation event from this if condition would solve this problem. But I guess it is there for a reason?



was (Author: lionelve):
The <distributable/> tag causes the session to be passivated and on passivation the SSO Valve removes the session from the sso entry (sessionEvent method in SingleSignOn.java line 333). With the session removed from the sso entry it doesn't get invalidated when you logout. Not sure why the session needs to be removed from the sso entry on passivation.
 
SingleSignOne.java around line 333:

|| if (((session.getMaxInactiveInterval() > 0)  
        && (System.currentTimeMillis() - session.getLastAccessedTimeInternal() >=  
            session.getMaxInactiveInterval() * 1000))   
        || (Session.SESSION_PASSIVATED_EVENT.equals(event.getType()))) {  
removeSession(ssoId, session);  

As far as I'm concerned removing the passivation event from this if condition would solve this problem. But I guess it is there for a reason?


> JBoss Web SingleSignOn valve does not work with <distributable/> apps
> ---------------------------------------------------------------------
>
>                 Key: WFLY-986
>                 URL: https://issues.jboss.org/browse/WFLY-986
>             Project: WildFly
>          Issue Type: Bug
>            Reporter: Dennis Reed
>            Assignee: Remy Maucherat
>
> The JBoss Web SingleSignOn valve does not work with <distributable/> applications.
> It incorrectly disassociates the SSO when a session is passivated.
> Since this happens on every request with <distributable/> applications (for session replication), the SSO entry is destroyed at the end of the request.
> The same issue of the SSO being removed would also happen if the session is passivated for any other reason.



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

More information about the jboss-jira mailing list