[jboss-jira] [JBoss JIRA] (WFLY-5422) SSO is not destroyed after session timeout period of <distributable/> app.
Stuart Douglas (JIRA)
issues at jboss.org
Mon Sep 28 22:46:01 EDT 2015
[ https://issues.jboss.org/browse/WFLY-5422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stuart Douglas reassigned WFLY-5422:
------------------------------------
Steps to Reproduce:
1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml
2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" />
3. Access first application - login/password requested as expected. Login succesfull.
4. I can access second deployed application as well. - SSO works as expected.
5. Wait > 1 min
6a. Non-<distributalble/> application
Accessing first and second application requires login
Active session count= 0. [1]
6b. <distributalble/> application
Accessing first and second application doesnt require login
Active session count= 1. [2]
was:
1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml
2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" />
3. Access first application - login/password requested as expected. Login succesfull.
4. I can access second deployed application as well. - SSO works as expected.
5. Wait > 1 min
6a. Non-<distributalble/> application
Accessing first and second application requires login
Active session count= 0. [1]
6b. <distributalble/> application
Accessing first and second application doesnt require login
Active session count= 1. [2]
Assignee: Paul Ferraro (was: Stuart Douglas)
The root cause if this is that the clustering subsystem does not implement the Undertow SessionManager contract correctly. In particular on timeout it just directly invokes the servlet HttpSessionListener implementations, but ignores any Undertow SessionListener implementations that are registered with DistributableSessionManager. As the SSO impl uses these listeners the SSO session never expires.
> SSO is not destroyed after session timeout period of <distributable/> app.
> --------------------------------------------------------------------------
>
> Key: WFLY-5422
> URL: https://issues.jboss.org/browse/WFLY-5422
> Project: WildFly
> Issue Type: Bug
> Components: Clustering, Security
> Affects Versions: 10.0.0.CR2
> Reporter: Martin Choma
> Assignee: Paul Ferraro
> Priority: Critical
>
> Using <distributable/> application cause SSO doesnt destroy after session timeout period. Base on [1], there is still active session, what is probably cause that SSO is not destroyed.
> Setting similar in EAP6 requires user to login after session timeout period.
> Setting priority to critical because of regression with security impacts.
> [1]
> [standalone at localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
> {
> "outcome" => "success",
> "result" => 0
> }
> [2]
> [standalone at localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
> {
> "outcome" => "success",
> "result" => 1
> }
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list