5 Replies Latest reply on Feb 11, 2015 9:12 PM by lionelve

SSO Valve - Sessions not registered and therefore not invalidated on logout

lionelve Mar 4, 2014 2:08 AM

JBoss EAP 6.2.0.GA (AS 7.3.0.Final-redhat-14)

I configured two wars with the SSO valve and the same security domain.

Logging in to one app also logs you in to the other as expected.

However if I log out from App 1 only that session is invalidated. As a result when I log back in as a different user, App 2 has the old data in its session.

I need to invalidate all sessions when I logout. That seems to be the intention of the code in the SingleSignOn valve. The method deregister(String ssoId) (which is called on logout) includes this bit of code:

         // Expire any associated sessions
        Session sessions[] = sso.findSessions();
        for (int i = 0; i < sessions.length; i++) {
            // Remove from reverse cache first to avoid recursion
            synchronized (reverse) {
                reverse.remove(sessions[i]);
            }
            // Invalidate this session
            sessions[i].expire();
        }

The problem is that somehow the session from App 2 was not associated with the sso entry and it doesn't get invalidated here.

By the time I hit the second app the user principal has already been populated so the SingleSingOn valve simply moves on to the next valve in the pipeline:

 public void invoke(Request request, Response response)
        throws IOException, ServletException {

        request.removeNote(Constants.REQ_SSOID_NOTE);

        // Has a valid user already been authenticated?
        if (request.getUserPrincipal() != null) {
            getNext().invoke(request, response);
            return;
        }

The FormAuthenticator does a something similar:

public boolean authenticate(Request request,
                                HttpServletResponse response,
                                LoginConfig config)
        throws IOException {

        // References to objects we will need later
        Session session = null;

        // Have we already authenticated someone?
        Principal principal = request.getUserPrincipal();
        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
        if (principal != null) {
            if (CatalinaLogger.AUTH_LOGGER.isDebugEnabled())
                CatalinaLogger.AUTH_LOGGER.debug("Already authenticated '" +
                    principal.getName() + "'");
            // Associate the session with any existing SSO session
            if (ssoId != null)
                associate(ssoId, request.getSessionInternal(true));
            return (true);
        }

Because the SingleSignOn valve removes the REQ_SSOID_NOTE, the FormAuthenticator does not call associate in line 18.

To summarise, I don't see how App 2's session could be registered/associated with the sso entry so that it can be invalidated on logout.

Regards,

Lionel.

1. Re: SSO Valve - Sessions not registered and therefore not invalidated on logout

ctomc May 21, 2014 9:33 AM (in response to lionelve)

moved to proper forum
Actions
2. Re: SSO Valve - Sessions not registered and therefore not invalidated on logout

jkronegg Jul 2, 2014 8:20 AM (in response to lionelve)

I have the same issue under JBoss AS 5. According to the documentation, this should work...
Actions
3. Re: SSO Valve - Sessions not registered and therefore not invalidated on logout

lionelve Jul 28, 2014 2:48 AM (in response to lionelve)
My war had the <distributable/> tag in the web.xml. This caused the session to be removed from the valve before it could be invalidated. The behavior observed is described perfectly by https://issues.jboss.org/browse/WFLY-986.

Got this from Red Hat's support:

"Due to some issues in EAP 6:
non-clustered SSO only works with non-clustered apps.
clustered SSO only works with clustered apps."

Removing the <distributable/> fixed the issue.

I also found that it is not necessary to add the sso valve to every application involved as the doco wrongly suggests. You only need to add

<sso reauthenticate="false"/>

to the default-host in the standalone.xml.
Actions
4. Re: SSO Valve - Sessions not registered and therefore not invalidated on logout

lionelve Nov 6, 2014 11:39 PM (in response to lionelve)
The <distributable/> tag causes the session to be passivated and on passivation the SSO Valve removes the session from the sso entry (sessionEvent method in SingleSignOn.java line 333). With the session removed from the sso entry it doesn't get invalidated when you logout. Not sure why the session needs to be removed from the sso entry on passivation.

SingleSignOne.java ln 333:

// Was the session destroyed as the result of a timeout? // If so, we'll just remove the expired session from the // SSO. If the session was logged out, we'll log out // of all session associated with the SSO. if (((session.getMaxInactiveInterval() > 0) && (System.currentTimeMillis() - session.getLastAccessedTimeInternal() >= session.getMaxInactiveInterval() * 1000)) || (Session.SESSION_PASSIVATED_EVENT.equals(event.getType()))) { removeSession(ssoId, session);

Simply removing the passivation event would solve this problem but I assume it is there for a reason?
Actions
5. Re: SSO Valve - Sessions not registered and therefore not invalidated on logout

lionelve Feb 11, 2015 9:12 PM (in response to lionelve)

This was raised in EAP's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1173313
Actions

Go to original post