1 Reply Latest reply on Feb 12, 2015 7:46 PM by japearson

JBoss EAP 6.3.2 Clustered SSO with unsecured pages

japearson Feb 8, 2015 5:41 PM

I am trying to get Clustered SSO working in JBoss EAP 6.3.2, I have session replication working fine, however SSO (user principal replication) is not working in all cases.

It works properly when I use servlets that are secured inside a <security-contraint> that has an<auth-constraint> with an appropriate role.

However for servlets that are not protected, SSO doesn't work until I first access a protected page, which seemes to kickstart the SSO and infinispan then finds the User Principal in the cluster.

This is a problem, because I have a number of pages that behave differently whether you are logged in or not.

I have a dodgy workaround where I call reauthenticateFromSSO inside a valve, however that doesn't work until a subsequent request (I presume I am too late in the chain). I could probably do a servlet FORWARD to work around this, but it just seems dodgy.

Inside the standalone.xml I tried setting reauthenticate=true in the <sso cache-container="web" cache-name="sso" reauthenticate="true"/> line, however that just seemed to cause it to logout everytime I ended up on a different server in the cluster.

Is there some magic setting inside JBoss to make it reauthenticate SSO on pages that don't require authentication?

1. Re: JBoss EAP 6.3.2 Clustered SSO with unsecured pages

japearson Feb 12, 2015 7:46 PM (in response to japearson)

I have got it working thanks to some clarification from people at StackOverflow.
http://stackoverflow.com/a/28490658/359999
Actions