[jboss-jira] [JBoss JIRA] (WFLY-5473) Session.invalidate() does not invalidate SSO context for non-distributable applications

Richard Janík (JIRA) issues at jboss.org
Tue Jan 5 04:51:01 EST 2016 

     [ https://issues.jboss.org/browse/WFLY-5473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Janík updated WFLY-5473:
--------------------------------
    Attachment: reproducer.zip


I've attached the reproducer. Unzip it into a clean installation of EAP/Wildfly and run the reproducer.sh script.

I've been reproducing the issue manually before. I've been investigating some more while writing the reproducer and found that there are cases where it works - invalidation destroys SSO context - and cases where it doesn't work. It works only if you invalidate the first session of the given SSO context. Here's an example (roughly the same thing the reproducer does):

* Start two servers, each with <single-sign-on/>, a user and a non-distributable deployment. Bind server1 to 127.0.0.1:8080 and server2 to 127.0.0.1:8180.
* Open browser (Firefox), GET 127.0.0.1:8080/deployment, authenticate - we get JSESSIONID "x1" and JSESSIONIDSSO "y1"
* GET 127.0.0.1:8180/deployment, (no need to authenticate), we get JSESSIONID "x2" and JSESSIONIDSSO "y1"
* GET 127.0.0.1:8080/deployment, (no need to authenticate), we get JSESSIONID "x3" and JSESSIONIDSSO "y1"
* invalidate session on 127.0.0.1:8080 (JSESSIONID "x3"), then get 127.0.0.1:8080/deployment - we're not required to authenticate, but we should be
* when I spoofed the cookies in step 4 (before accessing 127.0.0.1:8080 and creating a second session on that server) and invalidated session with JSESSIONID "x1", it worked 

> Session.invalidate() does not invalidate SSO context for non-distributable applications
> ---------------------------------------------------------------------------------------
>
>                 Key: WFLY-5473
>                 URL: https://issues.jboss.org/browse/WFLY-5473
>             Project: WildFly
>          Issue Type: Bug
>          Components: Clustering, Web (Undertow)
>            Reporter: Richard Janík
>            Assignee: Paul Ferraro
>            Priority: Blocker
>             Fix For: 10.0.0.Final
>
>         Attachments: reproducer.zip
>
>
> See "Steps to Reproduce" for detailed description.
> According to my limited knowledge, this was also the core issue in https://bugzilla.redhat.com/show_bug.cgi?id=924456 which has been dispatched as a one-off to a customer. Thus, I'm setting the priority to blocker as this is a regression against 6.4.x. No exceptions have been observed in the server output however.
> Adding Clustering component as I've been trying this with standalone-ha.xml and BZ 924456 relates to clustering.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list