10 Replies Latest reply on Jun 9, 2015 5:17 AM by marcial.atienzar

Problem storing session objects with SSO activated

marcial.atienzar May 31, 2015 2:55 AM

Hello,

We've an application with "n" webapps. All are connected with SSO by wildfly. On client, we've a pooling connection every minute to retrieve all new notices to user. The session timeout of every servlet is 30 minutes.

When we create the session we put on it a map, updating it every request with new values.

The application use rest(wildfly implementarion) with ajax to call to server.

After 30 minutes, I see on logs that the session is destroyed and I lost my map on the session.

It's correct this behavior?

Lot of thanks,

Marcial

1. Re: Problem storing session objects with SSO activated

marcial.atienzar May 31, 2015 3:59 AM (in response to marcial.atienzar)

The pooling is only on webapp. This webapp don't destroy the session, the others yes.
Actions
2. Re: Problem storing session objects with SSO activated

pferraro Jun 2, 2015 5:02 PM (in response to marcial.atienzar)

I don't fully understand what you're trying to do. Can you post the relevant code/configuration?
Actions

3. Re: Problem storing session objects with SSO activated

marcial.atienzar Jun 3, 2015 3:25 AM (in response to pferraro)

We've this config on standalone-full.xml to SSO:

<subsystem xmlns="urn:jboss:domain:undertow:1.2">
            <buffer-cache name="default" buffers-per-region="2048" max-regions="100"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" max-post-size="100000000"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="Cache-Control"/>
                    <filter-ref name="Expires"/>
                    <filter-ref name="Pragma"/>
                    <single-sign-on path="/" http-only="true" cookie-name="SESSIONSSO"/>
                </host>
            </server>
            <servlet-container name="default" default-encoding="UTF-8">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <filters>
                <response-header name="Cache-Control" header-name="Cache-Control" header-value="private, no-cache, no-store, must-revalidate"/>
                <response-header name="Expires" header-name="Expires" header-value="-1"/>
                <response-header name="Pragma" header-name="Pragma" header-value="no-cache"/>
                <gzip name="gzipfilter"/>
            </filters>
        </subsystem>

The cookie name is SESSIONSSO, but in Firefox I see this:

The name is JSESSIONIDSSO

In webapp we've this jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web version="8.0" xmlns="http://www.jboss.org/j2ee/schema/"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.jboss.org/j2ee/schema/jboss-web_8_0.xsd" >
    <security-domain flushOnSessionInvalidation="true">kyrianAuthRealm</security-domain>
    <disable-audit>true</disable-audit>
    <context-root>/kyrian</context-root>
    <default-encoding>UTF-8</default-encoding>
    <max-active-sessions>2000</max-active-sessions>
</jboss-web>

In a WebListener, we've this method:

@Override

    public void sessionCreated(HttpSessionEvent httpSessionEvent) {

        

        KyrianUser usrKyrian = (KyrianUser)httpSessionEvent.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);


        if(usrKyrian == null){

            String manageSession = httpSessionEvent.getSession().getServletContext().getInitParameter("MANAGE_KYRIAN_SESSION");

            if("S".equalsIgnoreCase(manageSession)){

                usrKyrian = sessionCtx.getSessionInformation();

                if(usrKyrian != null) {

                    // Actualizamos el valor de la sesión para obtenerlo en el resto de llamadas

                    httpSessionEvent.getSession().setAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER, usrKyrian);

                }

            }


        }

    }

The listener has this header:

@WebListener("Listener de kyrian para las gestiones de la sesión")

public class KyrianSessionListener implements HttpSessionListener,HttpSessionIdListener,

        ServletContextListener,HttpSessionActivationListener,

        HttpSessionBindingListener,HttpSessionAttributeListener

On client side, we've a timer every minute to see if the user has new notifications. With this aproach the session is always keep alive on this webapp. But, after 30 min, the session are destroyed, I see it on sessionDestroyed method, and the attribute that we've put on session is null.

I've this WebFilter to getSessionAttribute and set new values to a RequestScope Bean:

@WebFilter(urlPatterns = "*")

public class KyrianSessionFilter implements Filter {

    @Inject

    private KyrianSessionContext sessionCtx;

    @Inject

    private KyrianRequestContext requestCtx;

    @Inject

    private Logger log;

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        if (servletRequest instanceof HttpServletRequest) {

            HttpServletRequest request = ((HttpServletRequest) servletRequest);

            String instanceSessionId = request.getHeader(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);

            if (instanceSessionId != null ) {

                KyrianUser usrSession = (KyrianUser) request.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);

                if(log.isInfoEnabled()) {

                    log.info("ID DE SESION {} / {}", instanceSessionId,request.getRequestURI());

                }

                if(usrSession != null) {

                    // Añadimos a la request la información del Perfil asociado al instanceSessionId

                    requestCtx.setUsrSession(usrSession);

                    requestCtx.setInstanceId(instanceSessionId);

                }

            } else {

                if(log.isDebugEnabled()) {

                    log.debug("SIN ID DE SESION");

                }

            }

        }

        filterChain.doFilter(servletRequest, servletResponse);

    }

    @Override

    public void destroy() {

        log.info("DESTROY DEL FILTRO CON EL IDE DE LA INSTANCIA DE SESION DEL USUARIO");

    }

}

4. Re: Problem storing session objects with SSO activated

pferraro Jun 4, 2015 9:06 AM (in response to marcial.atienzar)

[WFLY-4746] SSO cookie-name attribute is ignored - JBoss Issue Tracker
This looks like an oversight. I'll submit a fix for this momentarily.
Actions
5. Re: Problem storing session objects with SSO activated

marcial.atienzar Jun 4, 2015 10:51 AM (in response to pferraro)

If I will not change SSO cookie name it will work?
Actions
6. Re: Problem storing session objects with SSO activated

pferraro Jun 4, 2015 3:18 PM (in response to marcial.atienzar)

I'm still a little confused as to what you're trying to do. SSO only allows sharing of authenticated state across multiple web application of the same host. Each web application will still use separate web sessions, which will expire independently. Is that your expected behavior?
Actions
7. Re: Problem storing session objects with SSO activated

marcial.atienzar Jun 4, 2015 3:26 PM (in response to pferraro)

Yes. But I've an Ajax request on every webapp for no lost session at 30 min. But after 30 min all sessions of webapps are destroyed and the session attribute is lost, but if the user refresh the page or call another rest petition it works, but the session attribute are lost.
Actions
8. Re: Problem storing session objects with SSO activated

marcial.atienzar Jun 4, 2015 5:10 PM (in response to pferraro)

sorry, i'll try to explain me. the solution that doesn't work:
- only one web-app is pooling to server. After 30 min all sessions are destroyed and the session attributes are lost. But how the sso is activated, the user can continue working on app, but with errors because the session attribute are removed from session.

the solution that works:
- pooling in all webapp applications
- removing all cookies on login page

in 9.0 I see that we can shared session between webapps, but what about session timeout? If it expires in one session, will expires in others. Or if in a one session it restores the timeout to 30 min, it will be restored to all the other sessions?
Actions
9. Re: Problem storing session objects with SSO activated

pferraro Jun 5, 2015 3:23 PM (in response to marcial.atienzar)

Every web application would have to poll the server, otherwise, those web sessions (they are separate, even though they share authenticated state) will expire if they are not accessed after 30 minutes.

Yes, in WF9, you can optionally share sessions across all web applications within a given host. In this case, for a given user, calls to HttpServletRequest.getSession() will effectively return the same object for all web applications. In this case, you only need to poll one webapp to prevent session expiration for any application.
Actions
10. Re: Problem storing session objects with SSO activated

marcial.atienzar Jun 9, 2015 5:17 AM (in response to pferraro)
Last question about this:
When I perform a logout on webapp with sso, what about the others cookies of the other webapps. Why I need to remove all cookies from all webapps to perfom a clean login before user authenticates?
Can I make pooling with websocket, or this sessions are distinct from http sessions?
Actions

Go to original post