I have clustered SSO configured in a pair of JBoss AS 6.1 appservers (using the org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn valve) and the behaviour I am getting doesn't quite make sense to me. My web session timeout is set to 10 minutes, the maxEmptyLife for the SSO valve is set to 60 seconds.
At login I expect that the SSO clustering will register the SSO id on both appservers and will associate the initial session on the first appserver with both appservers as well. What I see is the correct setup on the first appserver but the second one gets the SSO id but has no session associated with it. So the second appserver timesout the empty SSO after 60 seconds and any attempt to access the application on that second appserver prompts for a login since the SSO is no longer valid.
Shouldn't the clustered representation of the SSO include the count of sessions across all the participants?
The SSO shouldn't timeout on the second appserver while there is an active session on the first one. Have I understood this correctly?
Logging at login on the first appserver is:
2013-10-11 13:29:38,133 13250976 TRACE [system 10.64.33.91] sso.ClusteredSingleSignOn - Registering sso id 'FE7218A1256257858097E981FCBA826A' for user 'system' with auth type 'FORM' 2013-10-11 13:29:38,134 13250977 TRACE [system 10.64.33.91] ispn.SSOClusterManager - Registering SSO FE7218A1256257858097E981FCBA826A in clustered cache 2013-10-11 13:29:38,138 13250981 TRACE [system 10.64.33.91] sso.ClusteredSingleSignOn - Associate sso id FE7218A1256257858097E981FCBA826A with session StandardSession[872AC1FC9CCAD37BC3ECD40FB4219F00] 2013-10-11 13:29:38,139 13250982 TRACE [system 10.64.33.91] ispn.SSOClusterManager - addSession(): adding Session 872AC1FC9CCAD37BC3ECD40FB4219F00 to cached session set for SSO FE7218A1256257858097E981FCBA826A 2013-10-11 13:29:38,140 13250983 TRACE [system 10.64.33.91] ispn.SSOClusterManager - committing transaction
You can see that it is registering the SSO and doing the addSession as well, but on the second appserver:
2013-10-11 13:29:38,136 13267046 TRACE [OOB-19,null] ispn.SSOClusterManager - received a credentials modified message for SSO FE7218A1256257858097E981FCBA826A 2013-10-11 13:29:38,142 13267052 TRACE [OOB-19,null] ispn.SSOClusterManager - received a session modified message for SSO FE7218A1256257858097E981FCBA826A 2013-10-11 13:29:38,143 13267053 TRACE [OOB-19,null] ispn.SSOClusterManager - notifySSOEmpty: session count= 0 for ssoid= FE7218A1256257858097E981FCBA826A 2013-10-11 13:29:38,144 13267054 TRACE [OOB-19,null] sso.ClusteredSingleSignOn - Notified that SSO FE7218A1256257858097E981FCBA826A is empty 2013-10-11 13:29:38,146 13267056 TRACE [OOB-19,null] ispn.SSOClusterManager - received a session modified message for SSO FE7218A1256257858097E981FCBA826A 2013-10-11 13:29:38,147 13267057 TRACE [OOB-19,null] ispn.SSOClusterManager - notifySSOEmpty: session count= 0 for ssoid= FE7218A1256257858097E981FCBA826A
So it is seeing the SSO registration from the cache but doesn't seem to see the session that was added on the first appserver and the session count is 0 so the SSO times out in 60 seconds.