5 Replies Latest reply on Feb 11, 2015 9:12 PM by Lionel Orellana

    SSO Valve - Sessions not registered and therefore not invalidated on logout

    Lionel Orellana Newbie

      JBoss EAP 6.2.0.GA (AS 7.3.0.Final-redhat-14)


      I configured two wars with the SSO valve and the same security domain.


      Logging in to one app also logs you in to the other as expected.


      However if I log out from App 1 only that session is invalidated. As a result when I log back in as a different user, App 2 has the old data in its session.


      I need to invalidate all sessions when I logout. That seems to be the intention of the code in the SingleSignOn valve. The method deregister(String ssoId) (which is called on logout) includes this bit of code:


               // Expire any associated sessions
              Session sessions[] = sso.findSessions();
              for (int i = 0; i < sessions.length; i++) {
                  // Remove from reverse cache first to avoid recursion
                  synchronized (reverse) {
                  // Invalidate this session


      The problem is that somehow the session from App 2 was not associated with the sso entry and it doesn't get invalidated here.


      By the time I hit the second app the user principal has already been populated so the SingleSingOn valve simply moves on to the next valve in the pipeline:


       public void invoke(Request request, Response response)
              throws IOException, ServletException {
              // Has a valid user already been authenticated?
              if (request.getUserPrincipal() != null) {
                  getNext().invoke(request, response);



      The FormAuthenticator does a something similar:


      public boolean authenticate(Request request,
                                      HttpServletResponse response,
                                      LoginConfig config)
              throws IOException {
              // References to objects we will need later
              Session session = null;
              // Have we already authenticated someone?
              Principal principal = request.getUserPrincipal();
              String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
              if (principal != null) {
                  if (CatalinaLogger.AUTH_LOGGER.isDebugEnabled())
                      CatalinaLogger.AUTH_LOGGER.debug("Already authenticated '" +
                          principal.getName() + "'");
                  // Associate the session with any existing SSO session
                  if (ssoId != null)
                      associate(ssoId, request.getSessionInternal(true));
                  return (true);




      Because the SingleSignOn valve removes the REQ_SSOID_NOTE, the FormAuthenticator does not call associate in line 18.


      To summarise, I don't see how App 2's session could be registered/associated with the sso entry so that it can be invalidated on logout.