1 Reply Latest reply on Jun 5, 2012 4:40 AM by jaikiran

    Issue with single sign on used in JBoss 7.1.1.

    lszymik
    lszymik Jun 4, 2012 8:40 AM

      We have a problem with while invalidating session which were associated with SSO context during login.

      We are running a few web applications within one and the same security domain. We have sso reauthenticate set to "false". Applications are deployed as separate WAR files.

      Web application access is protected by a proper security constraints and authentication constraints for a specified role (the same for each web app) applied in web.xml descriptors. This is done for all application except one login application which is used to show welcome page and login window.

       

      In standalone.xml file we have configuration:

       

      {code:xml}

      <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                  <virtual-server name="default-host" enable-welcome-root="true">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                      <sso reauthenticate="false"/>

                  </virtual-server>

              </subsystem>

      {code:xml}

       

      Each application has:

       

      {code:xml}

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

                <security-domain>iS3Login</security-domain>

      </jboss-web>

      {code:xml}

       

       

      We perform login using programmatic login mechanism (login method on HttpServletRequest). We trigger programmatic login using AJAX call. After the login process is positively complete we redirect user to another web application, which was previously not accessible due to http 403 error. This is correct and works as expected. We are using Servlet 3.0. Session yimeout is set to the infinite (-1)

       

      When we logout (from the same application we used to login) we use invalidate or logout methods on a session or, accordingly, request. While doing programmatic logout, we use AJAX calls too.

      After logout, protected application are not available again, showing 403 error which is correct and works as expected.

       

      The problem is when we login as another user after doing logout.

      The access is granted, but old http sessions remain and new user can access old sessions.

      This is a serious security vulnerability in our opinion. While doing logout or invalidate, only one session within SSO context is invalidated, not all. We expected that all session are invalidated.

      Please tell us if this is a correct behavior or help us solve this problem.

       

      Thanks in advance for any help.

       

       


      • 1272 Views
      • Tags:
        • 1. Re: Issue with single sign on used in JBoss 7.1.1.
          jaikiran
          jaikiran Jun 5, 2012 4:40 AM (in response to lszymik)

          I don't have much experience with the SSO configuration and implementation, but what do you mean by:

          Lukasz Szymik wrote:

           

          While doing logout or invalidate, only one session within SSO context is invalidated, not all. We expected that all session are invalidated.

          Well, since the invalidate call is being done on a specific session, I don't see why it should invalidate all sessions.

           

           

          And what does this mean:

          Lukasz Szymik wrote:


          The problem is when we login as another user after doing logout.

          The access is granted, but old http sessions remain and new user can access old sessions.

            • Actions