1 Reply Latest reply on Nov 5, 2014 1:18 AM by Lionel Orellana

    Authentication cache with Clustered SSO

    Nicholas Fleury Newbie

      I am confused about how authentication cache works in a clustered configuration with JBOSS AS 7.2.0 Final

       

      With two nodes:

       

      - When login to an application on node1 sso cookie is successully created

      - Accessing the same application on node2 always goes through UsernamePasswordLoginModule::login() the first time using the credentials found with the cookie. So here we are properly logged in but it seems that it's not thanks to a replicated Principal but rather thanks to a reauthentication.

       

      My understanding was that when using a cache in a clustered configuration we should have the Principal propagated through each nodes and therefore, we should not go through the login() of the LogingModule again.

       

      What am I missing here ? Is this a configuration issue or did I just misunderstood how it should work ?

       

      I found some threads (like Configuring a clustered SSO  ) mentioning there was some issues with SSO and clustering but it seems to be resolved in 7.2.0 Final ...

       

      Thanks.

       

      Here is my configuration:

       

      standalone-ha.xml:

       

       

              <subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                  <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                  <virtual-server name="default-host" enable-welcome-root="false">
                      <alias name="localhost"/>
                      <sso cache-container="web" cache-name="sso" reauthenticate="true"/>
                  </virtual-server>
              </subsystem>
      
      
        ....
      
      
           <subsystem xmlns="urn:jboss:domain:infinispan:1.4">
          ...
                  <cache-container name="web" aliases="standard-session-cache" default-cache="repl" module="org.jboss.as.clustering.web.infinispan">
                      <transport lock-timeout="60000"/>
                      <replicated-cache name="repl" mode="ASYNC" batching="true">
                          <file-store/>
                      </replicated-cache>
                      <replicated-cache name="sso" mode="SYNC" batching="true"/>
                      <distributed-cache name="dist" l1-lifespan="0" mode="ASYNC" batching="true">
                          <file-store/>
                      </distributed-cache>
                  </cache-container>
                  ...
              </subsystem>
      

       

              ...

       

       

        <security-domain name="myDomain" cache-type="default">
                  <authentication>
                      <login-module code="com.MyLoginModule" flag="sufficient">
                          <module-option name="silentFail" value="true"/>
                      </login-module>
                      ...
                  </authentication>
              </security-domain>
      

       

       

       

       

      jboss-web.xml:

       

       

      <jboss-web>
          <security-domain>myDomain</security-domain>
        <valve>
             <class-name>org.jboss.as.web.security.ExtendedFormAuthenticator</class-name>
             <param>
        <param-name>includePassword</param-name>
        <param-value>true</param-value>
         </param>
        </valve>
      </jboss-web>