5 Replies Latest reply on Feb 11, 2015 9:12 PM by Lionel Orellana

    SSO Valve - Sessions not registered and therefore not invalidated on logout

    Lionel Orellana Newbie

      JBoss EAP 6.2.0.GA (AS 7.3.0.Final-redhat-14)

       

      I configured two wars with the SSO valve and the same security domain.

       

      Logging in to one app also logs you in to the other as expected.

       

      However if I log out from App 1 only that session is invalidated. As a result when I log back in as a different user, App 2 has the old data in its session.

       

      I need to invalidate all sessions when I logout. That seems to be the intention of the code in the SingleSignOn valve. The method deregister(String ssoId) (which is called on logout) includes this bit of code:

       

               // Expire any associated sessions
              Session sessions[] = sso.findSessions();
              for (int i = 0; i < sessions.length; i++) {
                  // Remove from reverse cache first to avoid recursion
                  synchronized (reverse) {
                      reverse.remove(sessions[i]);
                  }
                  // Invalidate this session
                  sessions[i].expire();
              }
      
      
      

       

      The problem is that somehow the session from App 2 was not associated with the sso entry and it doesn't get invalidated here.

       

      By the time I hit the second app the user principal has already been populated so the SingleSingOn valve simply moves on to the next valve in the pipeline:

       

       public void invoke(Request request, Response response)
              throws IOException, ServletException {
      
              request.removeNote(Constants.REQ_SSOID_NOTE);
      
              // Has a valid user already been authenticated?
              if (request.getUserPrincipal() != null) {
                  getNext().invoke(request, response);
                  return;
              }
      
      

       

       

      The FormAuthenticator does a something similar:

       

      public boolean authenticate(Request request,
                                      HttpServletResponse response,
                                      LoginConfig config)
              throws IOException {
      
              // References to objects we will need later
              Session session = null;
      
              // Have we already authenticated someone?
              Principal principal = request.getUserPrincipal();
              String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
              if (principal != null) {
                  if (CatalinaLogger.AUTH_LOGGER.isDebugEnabled())
                      CatalinaLogger.AUTH_LOGGER.debug("Already authenticated '" +
                          principal.getName() + "'");
                  // Associate the session with any existing SSO session
                  if (ssoId != null)
                      associate(ssoId, request.getSessionInternal(true));
                  return (true);
              }
      
      

       

       

       

      Because the SingleSignOn valve removes the REQ_SSOID_NOTE, the FormAuthenticator does not call associate in line 18.

       

      To summarise, I don't see how App 2's session could be registered/associated with the sso entry so that it can be invalidated on logout.

       

      Regards,

       

      Lionel.