[jboss-jira] [JBoss JIRA] (WFLY-5484) Calling HttpServletRequest.logout() with single sign-on enabled only works every second time

Paul Ferraro (JIRA) issues at jboss.org
Thu Jan 7 14:49:00 EST 2016 

    [ https://issues.jboss.org/browse/WFLY-5484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145989#comment-13145989 ] 

Paul Ferraro edited comment on WFLY-5484 at 1/7/16 2:48 PM:
------------------------------------------------------------

This issue seems to be due to a conflict between Undertow's CachedAuthenticatedSessionMechanism and SingleSignOnMechanism.  If the CachedAuthenticatedSessionMechanism detects an AuthenticatedSession in the HttpSession, the SingleSignOnMechanism never has the chance to register a security notification listener, thus the SSO is not invalidated on logout, not until the AuthenticatedSession is first removed from the session in a previous request.  Reassigning this to [~swd847] as this is an issue with Undertow security, not with clustering SSO management.


was (Author: pferraro):
This issue seems to be due to a conflict between Undertow's CachedAuthenticatedSessionMechanism and SingleSignOnMechanism.  If the CachedAuthenticatedSessionMechanism detects an AuthenticatedSession in the HttpSession, the SingleSignOnMechanism never has the chance to register a security notification listener, thus the SSO is not invalidated on logout.  Reassigning this to [~swd847] as this is clearly an issue with Undertow security, not with clustering SSO management.

> Calling HttpServletRequest.logout() with single sign-on enabled only works every second time
> --------------------------------------------------------------------------------------------
>
>                 Key: WFLY-5484
>                 URL: https://issues.jboss.org/browse/WFLY-5484
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Richard Janík
>            Assignee: Stuart Douglas
>            Priority: Blocker
>             Fix For: 10.0.0.CR5
>
>         Attachments: reproducer-jbeap-1282.zip
>
>
> See "Steps to Reproduce". Logging out from an application only works every second time, e.g. HttpRequestServlet.logout() has to be called twice in order to have any effect
> This doesn't occur without <single-sign-on/> enabled - logout() has the expected effect. The issue is security related, thus I'm adding our security team members as watchers.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list