SSO Valve - Sessions not registered and therefore not invalidated on logout
lionelve Mar 4, 2014 2:08 AMJBoss EAP 6.2.0.GA (AS 7.3.0.Final-redhat-14)
I configured two wars with the SSO valve and the same security domain.
Logging in to one app also logs you in to the other as expected.
However if I log out from App 1 only that session is invalidated. As a result when I log back in as a different user, App 2 has the old data in its session.
I need to invalidate all sessions when I logout. That seems to be the intention of the code in the SingleSignOn valve. The method deregister(String ssoId) (which is called on logout) includes this bit of code:
// Expire any associated sessions Session sessions[] = sso.findSessions(); for (int i = 0; i < sessions.length; i++) { // Remove from reverse cache first to avoid recursion synchronized (reverse) { reverse.remove(sessions[i]); } // Invalidate this session sessions[i].expire(); }
The problem is that somehow the session from App 2 was not associated with the sso entry and it doesn't get invalidated here.
By the time I hit the second app the user principal has already been populated so the SingleSingOn valve simply moves on to the next valve in the pipeline:
public void invoke(Request request, Response response) throws IOException, ServletException { request.removeNote(Constants.REQ_SSOID_NOTE); // Has a valid user already been authenticated? if (request.getUserPrincipal() != null) { getNext().invoke(request, response); return; }
The FormAuthenticator does a something similar:
public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException { // References to objects we will need later Session session = null; // Have we already authenticated someone? Principal principal = request.getUserPrincipal(); String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (principal != null) { if (CatalinaLogger.AUTH_LOGGER.isDebugEnabled()) CatalinaLogger.AUTH_LOGGER.debug("Already authenticated '" + principal.getName() + "'"); // Associate the session with any existing SSO session if (ssoId != null) associate(ssoId, request.getSessionInternal(true)); return (true); }
Because the SingleSignOn valve removes the REQ_SSOID_NOTE, the FormAuthenticator does not call associate in line 18.
To summarise, I don't see how App 2's session could be registered/associated with the sso entry so that it can be invalidated on logout.
Regards,
Lionel.