-
1. Re: Problem storing session objects with SSO activated
marcial.atienzar May 31, 2015 3:59 AM (in response to marcial.atienzar)The pooling is only on webapp. This webapp don't destroy the session, the others yes.
-
2. Re: Problem storing session objects with SSO activated
pferraro Jun 2, 2015 5:02 PM (in response to marcial.atienzar)I don't fully understand what you're trying to do. Can you post the relevant code/configuration?
-
3. Re: Problem storing session objects with SSO activated
marcial.atienzar Jun 3, 2015 3:25 AM (in response to pferraro)We've this config on standalone-full.xml to SSO:
<subsystem xmlns="urn:jboss:domain:undertow:1.2"> <buffer-cache name="default" buffers-per-region="2048" max-regions="100"/> <server name="default-server"> <http-listener name="default" socket-binding="http" max-post-size="100000000"/> <host name="default-host" alias="localhost"> <filter-ref name="Cache-Control"/> <filter-ref name="Expires"/> <filter-ref name="Pragma"/> <single-sign-on path="/" http-only="true" cookie-name="SESSIONSSO"/> </host> </server> <servlet-container name="default" default-encoding="UTF-8"> <jsp-config/> <websockets/> </servlet-container> <filters> <response-header name="Cache-Control" header-name="Cache-Control" header-value="private, no-cache, no-store, must-revalidate"/> <response-header name="Expires" header-name="Expires" header-value="-1"/> <response-header name="Pragma" header-name="Pragma" header-value="no-cache"/> <gzip name="gzipfilter"/> </filters> </subsystem>
The cookie name is SESSIONSSO, but in Firefox I see this:
The name is JSESSIONIDSSO
In webapp we've this jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss-web version="8.0" xmlns="http://www.jboss.org/j2ee/schema/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.org/j2ee/schema/jboss-web_8_0.xsd" > <security-domain flushOnSessionInvalidation="true">kyrianAuthRealm</security-domain> <disable-audit>true</disable-audit> <context-root>/kyrian</context-root> <default-encoding>UTF-8</default-encoding> <max-active-sessions>2000</max-active-sessions> </jboss-web>
In a WebListener, we've this method:
@Override public void sessionCreated(HttpSessionEvent httpSessionEvent) { KyrianUser usrKyrian = (KyrianUser)httpSessionEvent.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER); if(usrKyrian == null){ String manageSession = httpSessionEvent.getSession().getServletContext().getInitParameter("MANAGE_KYRIAN_SESSION"); if("S".equalsIgnoreCase(manageSession)){ usrKyrian = sessionCtx.getSessionInformation(); if(usrKyrian != null) { // Actualizamos el valor de la sesión para obtenerlo en el resto de llamadas httpSessionEvent.getSession().setAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER, usrKyrian); } } } }
The listener has this header:
@WebListener("Listener de kyrian para las gestiones de la sesión") public class KyrianSessionListener implements HttpSessionListener,HttpSessionIdListener, ServletContextListener,HttpSessionActivationListener, HttpSessionBindingListener,HttpSessionAttributeListener
On client side, we've a timer every minute to see if the user has new notifications. With this aproach the session is always keep alive on this webapp. But, after 30 min, the session are destroyed, I see it on sessionDestroyed method, and the attribute that we've put on session is null.
I've this WebFilter to getSessionAttribute and set new values to a RequestScope Bean:
@WebFilter(urlPatterns = "*") public class KyrianSessionFilter implements Filter { @Inject private KyrianSessionContext sessionCtx; @Inject private KyrianRequestContext requestCtx; @Inject private Logger log; @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { if (servletRequest instanceof HttpServletRequest) { HttpServletRequest request = ((HttpServletRequest) servletRequest); String instanceSessionId = request.getHeader(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER); if (instanceSessionId != null ) { KyrianUser usrSession = (KyrianUser) request.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER); if(log.isInfoEnabled()) { log.info("ID DE SESION {} / {}", instanceSessionId,request.getRequestURI()); } if(usrSession != null) { // Añadimos a la request la información del Perfil asociado al instanceSessionId requestCtx.setUsrSession(usrSession); requestCtx.setInstanceId(instanceSessionId); } } else { if(log.isDebugEnabled()) { log.debug("SIN ID DE SESION"); } } } filterChain.doFilter(servletRequest, servletResponse); } @Override public void destroy() { log.info("DESTROY DEL FILTRO CON EL IDE DE LA INSTANCIA DE SESION DEL USUARIO"); } }
-
4. Re: Problem storing session objects with SSO activated
pferraro Jun 4, 2015 9:06 AM (in response to marcial.atienzar)[WFLY-4746] SSO cookie-name attribute is ignored - JBoss Issue Tracker
This looks like an oversight. I'll submit a fix for this momentarily.
-
5. Re: Problem storing session objects with SSO activated
marcial.atienzar Jun 4, 2015 10:51 AM (in response to pferraro)If I will not change SSO cookie name it will work?
-
6. Re: Problem storing session objects with SSO activated
pferraro Jun 4, 2015 3:18 PM (in response to marcial.atienzar)I'm still a little confused as to what you're trying to do. SSO only allows sharing of authenticated state across multiple web application of the same host. Each web application will still use separate web sessions, which will expire independently. Is that your expected behavior?
-
7. Re: Problem storing session objects with SSO activated
marcial.atienzar Jun 4, 2015 3:26 PM (in response to pferraro)Yes. But I've an Ajax request on every webapp for no lost session at 30 min. But after 30 min all sessions of webapps are destroyed and the session attribute is lost, but if the user refresh the page or call another rest petition it works, but the session attribute are lost.
-
8. Re: Problem storing session objects with SSO activated
marcial.atienzar Jun 4, 2015 5:10 PM (in response to pferraro)sorry, i'll try to explain me. the solution that doesn't work:
- only one web-app is pooling to server. After 30 min all sessions are destroyed and the session attributes are lost. But how the sso is activated, the user can continue working on app, but with errors because the session attribute are removed from session.
the solution that works:
- pooling in all webapp applications
- removing all cookies on login page
in 9.0 I see that we can shared session between webapps, but what about session timeout? If it expires in one session, will expires in others. Or if in a one session it restores the timeout to 30 min, it will be restored to all the other sessions?
-
9. Re: Problem storing session objects with SSO activated
pferraro Jun 5, 2015 3:23 PM (in response to marcial.atienzar)Every web application would have to poll the server, otherwise, those web sessions (they are separate, even though they share authenticated state) will expire if they are not accessed after 30 minutes.
Yes, in WF9, you can optionally share sessions across all web applications within a given host. In this case, for a given user, calls to HttpServletRequest.getSession() will effectively return the same object for all web applications. In this case, you only need to poll one webapp to prevent session expiration for any application.
-
10. Re: Problem storing session objects with SSO activated
marcial.atienzar Jun 9, 2015 5:17 AM (in response to pferraro)Last question about this:
- When I perform a logout on webapp with sso, what about the others cookies of the other webapps. Why I need to remove all cookies from all webapps to perfom a clean login before user authenticates?
- Can I make pooling with websocket, or this sessions are distinct from http sessions?