A bit more reading/searching finds this post, https://community.jboss.org/thread/155273, that suggests that security credentails are not replicated with the session and that I need to configure SSO to get this to work. It suggests that I need to setup the ClusteredSingleSignOn valve in the jboss-web.xml file in the deployment. This is further described in the wiki at https://community.jboss.org/wiki/JBossWebSingleSignOn but this is quite out of date.
Is there anything written about how this works and should be configured? I can't find anything about what can be configured in jboss-web.xml.
I found someone else with the same problem posted a couple of days ago, https://community.jboss.org/thread/198857. They seem to have a bit more info on how it should be configured but it still isn't working for them either.
I'm still unable to get this to work correctly.
Session state is failing over OK but authentication state is not. Can anyone help or point to some current documentation about how to configure this?
Details of my configuration are as follows.
I have the following in my domain.xml for the web subsystem
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> <sso cache-container="web" cache-name="sso" reauthenticate="false"/> </virtual-server> </subsystem>
and the web.xml for the application has the <distributable/> element. My application is using form based authentication. web.xml is
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name>AuthenticationEx</display-name> <distributable/> <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <display-name>Authentication Login</display-name> <web-resource-collection> <web-resource-name>SecuredArea</web-resource-name> <url-pattern>/index.jsf</url-pattern> </web-resource-collection> <auth-constraint> <role-name>other</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>other</realm-name> <form-login-config> <form-login-page>/login.jsf</form-login-page> <form-error-page>/bad-login.jsf</form-error-page> </form-login-config> </login-config> <security-role> <role-name>other</role-name> </security-role> </web-app>
and jboss-web.xml is
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain flushOnSessionInvalidation="true">other</security-domain> <replication-config> <replication-trigger>SET_AND_NON_PRIMITIVE_GET</replication-trigger> <replication-granularity>SESSION</replication-granularity> </replication-config> </jboss-web>
and modcluster has been configured as well, the following is the subsystem configuration:
<subsystem xmlns="urn:jboss:domain:modcluster:1.1"> <mod-cluster-config advertise-socket="modcluster" connector="ajp"> <dynamic-load-provider> <load-metric type="busyness"/> </dynamic-load-provider> </mod-cluster-config> </subsystem>
finally, the httpd configuration is as follows
<VirtualHost 172.16.95.131:10001> LogLevel debug <Directory /> Order deny,allow Deny from all Allow from all </Directory> # This directive allows you to view mod_cluster status at URL http://10.211.55.4:10001/mod_cluster-manager <Location /mod_cluster-manager> SetHandler mod_cluster-manager Order deny,allow Deny from all Allow from 172.16.95. </Location> KeepAliveTimeout 60 MaxKeepAliveRequests 0 ManagerBalancerName other-server-group AdvertiseFrequency 5 AdvertiseSecurityKey secret EnableMCPMReceive </VirtualHost>
No, sorry. My current project work is with an old JBoss version (6.1) and we haven't had to progress the session sharing. When we do it will be with the EAP 6.2.0 version
I'd suggest that trying it with the EAP 6.2.0 version or Wildfly which is now in candidate release state (8.0.0.CR1) if you have that option.