1 Reply Latest reply on May 26, 2015 10:32 AM by danpoleary

    Wildfly 8.2 SSO logout issue across apps in the same domain

    danpoleary

      I have some strange behaviour, and I am not sure why. I have two apps that work well in Tomcat 7, but do not behave correctly in Wildfly 8.2 and 9Beta2. I went through the various forum topics around SSO and Wildfly, but nothing resolves this specific issue.

       

      1. In Tomcat, I can log in on one app, go to the 2nd app and I can see my login state is correct, log out in the 2nd app, return to the 1st app, and I am logged out there. This is correct.

       

      2. In Tomcat, I can log in on one app, go to the 2nd app and I can see my login state is correct, return to the 1st app, log out in the 1st app, return to the 2nd app, and I am logged out there. This is correct.

       

      3. In Wildfly, I log in to the 1st app, go to the 2nd app and I can see my login state is correct, log out of the 2nd app, return to the 1st app, but I am still logged in. Incorrect.

       

      4. In Wildfly, I log in to the 1st app, go to the 2nd app and I can see my login state is correct, return to the 1st app, log out of the 1st app, go to the 2nd app, and I am logged out there as well. Correct.

       

      Why does Wildfly fail the first test (3. above)?

       

      Any pointers would be greatly appreciated.

       

      Here are some of the extracts from my files:

       

      From standalone.xml

       

          <security-realm name="DataSourceRealm">

              <authentication>

                  <jaas name="app"/>

              </authentication>

          </security-realm>

                     

          <security-domain name="app" cache-type="default">

               <authentication>

                   <login-module code="Database" flag="requisite">

                        <module-option name="password-stacking" value="useFirstPass"/>

                        <module-option name="dsJndiName" value="jdbc/icedb"/>

                        <module-option name="principalsQuery" value="select PASSWORD from WSV_USR_PRFL_DEF where USR_PRFL_DEF_ID=?"/>

                        <module-option name="rolesQuery" value="select USR_GRP_DEF_ID, 'Roles' from WSV_USR_GRP_MAP where USR_PRFL_DEF_ID = ?"/>

                        <module-option name="unauthenticatedIdentity" value="guest"/>

                    </login-module>

                    <login-module code="RoleMapping" flag="requisite">

                         <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>

                         <module-option name="replaceRole" value="false"/>

                    </login-module>

                </authentication>

           </security-domain>

       

          <subsystem xmlns="urn:jboss:domain:undertow:2.0">

                  <buffer-cache name="default"/>

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http"/>

                      <host name="default-host" alias="localhost">   

                           <single-sign-on path="/"/>

                           .....

       

      from the various applications (WAR) jboss-web.xml:

       

          <jboss-web>

              <context-root>/APPNAME</context-root>

              <security-domain flushOnSessionInvalidation="true">app</security-domain>

          </jboss-web>

       

      From my logout.java:

       

          @WebServlet(name="logout", urlPatterns={"/lo.xhtml"}, loadOnStartup=2)

          public class Logout extends HttpServlet{

       

          @Override

          protected void doGet(HttpServletRequest request,

                  HttpServletResponse response) throws ServletException, IOException {

              if (request.getSession(false) != null) {

                  HttpSession ses = request.getSession(false);

                  ses.invalidate(); // remove session.

              }

              request.logout();

              response.sendRedirect(request.getContextPath());

          }

      }