5 Replies Latest reply on Sep 2, 2014 8:47 AM by Rodrigo Parede

    Clustering - session replication vs SSO

    dantheman46 Newbie

      Hello everyone,


      I have got one fundamental question:


      Do I need to enable SSO in order to not have to login on every node in clustered environment?


      JBoss AS 7.2

      Started as a domain:  master + one slave host

      Application is secured using JEE6 JAAS mechanism using security-domain(database)


      The problem is that when I don't enable SSO I have to reauthenticate on every node.

      Session is replicated correctly - when I put something on one node I see it on another


      The problem dissappears when I enable SSO.

      JBoss replicates sso cache and using JSESSIONIDSSO cookie authenticate me


      14:45:44,707 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (http-/ addSession(): adding Session S516oUsjgydH173HSd9Yafar to cached session set for SSO 7sCW+DIxyxr+CEooLhowqp4U


      In my oppinion SSO should be used to authenticate once and have an access to other applications (not clustered) using special token(JSESSIONIDSSO in JBoss)

      When I login into App A I could have access to App B without login again. App A and B are completely different applications - in that case we should use SSO


      In clustered environment AS should take care of session replication with authentication data - and there shouldn't be need to reauthenticate on every node or use SSO.


      I'll be grateful if someone clarify why authentication data is not replicated with session.

      Maybe I've missed something.