I am trying to get Clustered SSO working in JBoss EAP 6.3.2, I have session replication working fine, however SSO (user principal replication) is not working in all cases.
It works properly when I use servlets that are secured inside a <security-contraint>
that has an<auth-constraint>
with an appropriate role.
However for servlets that are not protected, SSO doesn't work until I first access a protected page, which seemes to kickstart the SSO and infinispan then finds the User Principal in the cluster.
This is a problem, because I have a number of pages that behave differently whether you are logged in or not.
I have a dodgy workaround where I call reauthenticateFromSSO
inside a valve, however that doesn't work until a subsequent request (I presume I am too late in the chain). I could probably do a servlet FORWARD to work around this, but it just seems dodgy.
Inside the standalone.xml I tried setting reauthenticate=true
in the <sso cache-container="web" cache-name="sso" reauthenticate="true"/>
line, however that just seemed to cause it to logout everytime I ended up on a different server in the cluster.
Is there some magic setting inside JBoss to make it reauthenticate SSO on pages that don't require authentication?
I have got it working thanks to some clarification from people at StackOverflow.