1 Reply Latest reply on Feb 12, 2015 7:46 PM by Joel Pearson

    JBoss EAP 6.3.2 Clustered SSO with unsecured pages

    Joel Pearson Newbie

      I am trying to get Clustered SSO working in JBoss EAP 6.3.2, I have session replication working fine, however SSO (user principal replication) is not working in all cases.

      It works properly when I use servlets that are secured inside a <security-contraint> that has an<auth-constraint> with an appropriate role.

      However for servlets that are not protected, SSO doesn't work until I first access a protected page, which seemes to kickstart the SSO and infinispan then finds the User Principal in the cluster.

      This is a problem, because I have a number of pages that behave differently whether you are logged in or not.

      I have a dodgy workaround where I call reauthenticateFromSSO inside a valve, however that doesn't work until a subsequent request (I presume I am too late in the chain). I could probably do a servlet FORWARD to work around this, but it just seems dodgy.

      Inside the standalone.xml I tried setting reauthenticate=true in the <sso cache-container="web" cache-name="sso" reauthenticate="true"/> line, however that just seemed to cause it to logout everytime I ended up on a different server in the cluster.

      Is there some magic setting inside JBoss to make it reauthenticate SSO on pages that don't require authentication?