Authentication cache with Clustered SSO
nicholas.f Sep 18, 2013 5:07 AMI am confused about how authentication cache works in a clustered configuration with JBOSS AS 7.2.0 Final
With two nodes:
- When login to an application on node1 sso cookie is successully created
- Accessing the same application on node2 always goes through UsernamePasswordLoginModule::login() the first time using the credentials found with the cookie. So here we are properly logged in but it seems that it's not thanks to a replicated Principal but rather thanks to a reauthentication.
My understanding was that when using a cache in a clustered configuration we should have the Principal propagated through each nodes and therefore, we should not go through the login() of the LogingModule again.
What am I missing here ? Is this a configuration issue or did I just misunderstood how it should work ?
I found some threads (like Configuring a clustered SSO ) mentioning there was some issues with SSO and clustering but it seems to be resolved in 7.2.0 Final ...
Thanks.
Here is my configuration:
standalone-ha.xml:
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="false"> <alias name="localhost"/> <sso cache-container="web" cache-name="sso" reauthenticate="true"/> </virtual-server> </subsystem> .... <subsystem xmlns="urn:jboss:domain:infinispan:1.4"> ... <cache-container name="web" aliases="standard-session-cache" default-cache="repl" module="org.jboss.as.clustering.web.infinispan"> <transport lock-timeout="60000"/> <replicated-cache name="repl" mode="ASYNC" batching="true"> <file-store/> </replicated-cache> <replicated-cache name="sso" mode="SYNC" batching="true"/> <distributed-cache name="dist" l1-lifespan="0" mode="ASYNC" batching="true"> <file-store/> </distributed-cache> </cache-container> ... </subsystem>
...
<security-domain name="myDomain" cache-type="default"> <authentication> <login-module code="com.MyLoginModule" flag="sufficient"> <module-option name="silentFail" value="true"/> </login-module> ... </authentication> </security-domain>
jboss-web.xml:
<jboss-web> <security-domain>myDomain</security-domain> <valve> <class-name>org.jboss.as.web.security.ExtendedFormAuthenticator</class-name> <param> <param-name>includePassword</param-name> <param-value>true</param-value> </param> </valve> </jboss-web>