1 2 Previous Next 21 Replies Latest reply on Jul 31, 2014 3:39 PM by pferraro

Wildfly SSO, does it support session timeout and logout?

tmescic Jun 16, 2014 6:08 AM

Hi everyone,

I'm using the Single-sign On feature on Wildfly 8.1.0.Final. I have a non-clustered environment - the SSO is used to login a user

across different context roots: multiple WARs deployed on the same WildFly instance. The login process works fine, I get a

JSESSIONIDSSO cookie and the user can access all context roots without the need to login more than once. What I don't know

is how to achive logout/session timeout functionally...

Question 1:

Is there a way to set a session timeout on the SSO session? Right now, when the session timeout occurs on one of my servlets

the user is still logged in (it has a valid JESESSIONIDSSO, and the SSO module just creates a new session automatically).

Question 2:

Is there a way to invalidate the SSO session programatically? The same way you can invalidate a regular session by invoking

session.invalidate().

standalone.xml:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <single-sign-on path="/" />

jboss-web.xml:

<context-root>/one_of_my_wars</context-root>
<security-domain>MyDomain</security-domain>    
<valve> 
        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
    </valve>

1. Re: Wildfly SSO, does it support session timeout and logout?

cweiler Jun 16, 2014 11:17 AM (in response to tmescic)

Question 2
A Request.logout should do this, or at least Session.invalidate followed by Request.logout

see
[AS7-5728] ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout - JBoss Issue Tracker
1 of 1 people found this helpful
Actions
2. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jun 16, 2014 11:31 AM (in response to tmescic)
Question 1:

Is there a way to set a session timeout on the SSO session? Right now, when the session timeout occurs on one of my servlets

the user is still logged in (it has a valid JESESSIONIDSSO, and the SSO module just creates a new session automatically).

SSO is an authentication mechanism, not a session. A web session will have an associated SSO which associates the user with other application on that host. That SSO is not invalidated until there are no sessions associated with that SSO.

Question 2:

Is there a way to invalidate the SSO session programatically? The same way you can invalidate a regular session by invoking

session.invalidate().

To logout programmatically, use HttpServletRequest.logout().

jboss-web.xml:

<context-root>/one_of_my_wars</context-root>
<security-domain>MyDomain</security-domain>
<valve>
        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
    </valve>

This <valve/> configuration is obsolete. Single sign-on is configured per host in the undertow subsystem (not per-application).
Actions
3. Re: Wildfly SSO, does it support session timeout and logout?

tmescic Jun 16, 2014 11:44 AM (in response to pferraro)

So basically, it would be enough to set a session-timeout in web.xml of all of my web apps, and after they all timeout, SSO will be invalidated
(user will need to authenticate again). If this works, that's great, but I've already tried it, and it didn't work. I'll try again...

Regarding the programmatic logout, you mean that I need to keep track of all sessions and call HttpServletRequest.logout() on each one
individually? Isn't there a way to do it in one place only?
Actions
4. Re: Wildfly SSO, does it support session timeout and logout?

ctomc Jun 16, 2014 4:00 PM (in response to cweiler)

[AS7-5728] ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout - JBoss Issue Tracker

AS7-5728 has noting to do with current implementation in WildFly...

said that, behavior should exactly the same.
Actions
5. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jun 16, 2014 6:56 PM (in response to tmescic)

Regarding the programmatic logout, you mean that I need to keep track of all sessions and call HttpServletRequest.logout() on each one

individually? Isn't there a way to do it in one place only?

In same way that HttpServletRequest.login(...) will authenticate a user across applications, HttpServletRequest.logout() will log the user out across applications.
Actions
6. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jun 16, 2014 7:05 PM (in response to tmescic)

So basically, it would be enough to set a session-timeout in web.xml of all of my web apps, and after they all timeout, SSO will be invalidated

(user will need to authenticate again). If this works, that's great, but I've already tried it, and it didn't work. I'll try again...

I misspoke - the SSO is revoked after a session is explicitly invalidated (i.e. via HttpSession.invalidate()). So, session timeout does not trigger this.
See undertow/core/src/main/java/io/undertow/security/impl/SingleSignOnAuthenticationMechanism.java at 1.0.x · undertow-io/un…
Actions
7. Re: Wildfly SSO, does it support session timeout and logout?

tmescic Jun 17, 2014 4:41 AM (in response to pferraro)

Well, that seems wrong to me - if you enable SSO, your sessions will never expire due to inactivity of the user... Could this be a bug?
Any workarounds?
Actions
8. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jun 17, 2014 3:05 PM (in response to tmescic)

You are confusing authentication with session state. These are distinct concerns. The user's HttpSession will still expire due to inactivity. However, any JSESSIONIDSSO cookie might till be valid. This is no different from other authentication mechanisms.
Actions
9. Re: Wildfly SSO, does it support session timeout and logout?

cweiler Jun 18, 2014 11:20 AM (in response to pferraro)

So, to answer Question 1, what we need is a way to define the max lifetime of a granted ticket, where, after that, a re-authentication is required.

There is such configuration available?
Actions
10. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jun 22, 2014 9:24 AM (in response to cweiler)

The SSO should be automatically removed either when any associated session is invalidated - or when the last associated session times out. The latter is not happening correctly.
[UNDERTOW-269] SSO not destroyed when the last associated session times out. - JBoss Issue Tracker
1 of 1 people found this helpful
Actions
11. Re: Wildfly SSO, does it support session timeout and logout?

tmescic Jul 2, 2014 7:38 AM (in response to pferraro)

I think I found another issue, this time the programmatic logout does not work as expected. I have a JAX-RS (RestEasy) service
with two paths (methods):
- http://server/security/login
- http://server/security/logout

The first one receives a username and a password and performs HttpServletRequest.login(username, password). This works OK,
SSO is created successfully and a valid JSESSIONIDSSO cookie is created. I can access my other webapps without the need
to authenticate again.

The logout method just performs HttpServletRequest.logout(). The problem is, the SSO is not destroyed after I call this method,
it is destroyed after this method is called by the client for the second time. I have also tried calling Session.invalidate() method
before the logout() method, and also calling the logout method two times in a row - it's still not working.

Could this also be a bug, or am I doing something wrong?
Actions
12. Re: Wildfly SSO, does it support session timeout and logout?

pferraro Jul 2, 2014 9:37 AM (in response to tmescic)

The fix for that issue is here:
https://github.com/undertow-io/undertow/commit/edf51dc824c64a6ff4e9111e654f62fb7364a7eb

The original implementation of the logout authentication callback was not implemented correctly.
Actions
13. Re: Wildfly SSO, does it support session timeout and logout?

tmescic Jul 2, 2014 10:03 AM (in response to pferraro)

Thanks Paul. Do you know when could the fixes (the one for session timeout and this one for logout)
become available as part of a WildFly final release? WildFly 8.2.0.Final maybe?

P.S.
I took a quick look at the fix above and it seems to me that manager.removeSingleSignOn(ssoID) is called
in both the old and the fixed version (when a EventType.LOGGED_OUT event occurs) so I'm not sure how
the fix actually helps...
Actions
14. Re: Wildfly SSO, does it support session timeout and logout?

ctomc Jul 2, 2014 10:59 AM (in response to tmescic)

No reason why this shouldn't make it into 8.2.

Fix just needs to be backported to undertow 1.0.x branch (are you up for it?)

As 8.2 when released will just include latest Undertow from 1.0.x branch.
Actions

1 2 Previous Next

Go to original post