[jboss-jira] [JBoss JIRA] (WFLY-10630) HttpSessionListener.sessionDestroyed() not called if session invalidated in another WAR

Bernhard Kabelka (JIRA) issues at jboss.org
Thu Aug 2 03:14:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-10630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13613561#comment-13613561 ] 

Bernhard Kabelka commented on WFLY-10630:
-----------------------------------------

For me, reproducing the problem is possible also with the latest nightly build of WildFly. These are the steps I took:

# Download the latest WildFly nightly build (I used https://ci.wildfly.org/repository/download/WF_Nightly/114426:id/wildfly-14.0.0.Beta2-SNAPSHOT.zip).
# Extract the ZIP archive to an arbitrary folder (called {{$WILDFLY_DIR}} in the following) on your hard drive.
# Copy the attached files users.properties and roles.properties to {{$WILDFLY_DIR/standalone/configuration}}.
# Edit the {{standalone.xml}} in {{$WILDFLY_DIR/standalone/configuration}} by adding the following {{security-domain}} to the {{urn:jboss:domain:security}} subsystem (or copy the attached {{standalone.xml}} file to {{$WILDFLY_DIR/standalone/configuration}}).
{code:xml}
                <security-domain name="sessionlistener">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
{code}
# Compile the sessionlistner-test project (linked under "Steps to Reproduce") via Maven (or use the attached {{sessionlistener-test.ear}}).
# Copy the {{sessionlistner-test.ear}} file to {{$WILDFLY_DIR/standalone/deplyoment}}.
# Start the server via calling {{$WILDFLY_DIR/bin/standalone.bat --server-config=standalone.xml}} (using a JDK in version 8 as {{JAVA_HOME}}).
# Wait until the server is started.
# Open the URL http://localhost:8080/sessionlistener/test in your browser. You should get a login page as shown in the attached screenshot.
# Enter the user name "ADMIN" and the password "admin" (observe lower and upper case).
# Click on the "Submit" button. You should be redirected to a page displaying a single "Logout" link.
# Click in the "Logout" link. You should be redirected to a blank page.
# Open the log file {{$WILDFLY_DIR/standalone/log/server.log}} and inspect the last few lines. There is only one notification about session creation (from at.kabelka.test.sessionlistener.war.ui.UISessionListener in the UI WAR), and one notification about session destruction (from at.kabelka.test.sessionlistener.war.ajax.AjaxSessionListener in the AJAX WAR).   


> HttpSessionListener.sessionDestroyed() not called if session invalidated in another WAR
> ---------------------------------------------------------------------------------------
>
>                 Key: WFLY-10630
>                 URL: https://issues.jboss.org/browse/WFLY-10630
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 10.0.0.Final, 13.0.0.Final
>         Environment: Windows 10, Java 1.8.0_131
> Reproducible with both WildFly-10.0.0.Final and Wildfly-13.0.0.Final
>            Reporter: Bernhard Kabelka
>            Assignee: Bartosz Baranowski
>         Attachments: LoginForm.png, roles.properties, sessionlistener-test.ear, standalone.xml, users.properties
>
>
> For sessions shared across different WARs in a single EAR, the notification of HttpSessionListener works differently in WildFly 10.0.0.Final (and Wildfly 13.0.0.Final) than it it used to work in WildFly 8.2.0.Final:
> I have an EAR containing two WARs with enabled session sharing across the WARs. Basically, one WAR contains the web UI, and the other WAR contains the REST interfaces for AJAX calls made by the UI. The user authenticates against the UI-WAR. On logout, a REST method in the AJAX-WAR is triggered which calls HttpSession.invalidate() on the user session.
> In WildFly 8.2.0.Final, a HttpSessionListener in the UI-WAR gets notified immediately about session creation and destruction.
> In WildFly 13.0.0.Final, however, a HttpSessionListener in either WAR only gets one of the two notifications:
> * In the UI-WAR, I get a notification about the created session immediately when the login form is loaded. However, I do not receive any notification about the session destruction (unless it times out).
> * In the AJAX-WAR, I do not get any notification about the session creation at all, but I immediately receive a notification about the session destruction.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list