Wildfly 8.2 SSO logout issue across apps in the same domain
danpoleary Apr 14, 2015 8:11 AMI have some strange behaviour, and I am not sure why. I have two apps that work well in Tomcat 7, but do not behave correctly in Wildfly 8.2 and 9Beta2. I went through the various forum topics around SSO and Wildfly, but nothing resolves this specific issue.
1. In Tomcat, I can log in on one app, go to the 2nd app and I can see my login state is correct, log out in the 2nd app, return to the 1st app, and I am logged out there. This is correct.
2. In Tomcat, I can log in on one app, go to the 2nd app and I can see my login state is correct, return to the 1st app, log out in the 1st app, return to the 2nd app, and I am logged out there. This is correct.
3. In Wildfly, I log in to the 1st app, go to the 2nd app and I can see my login state is correct, log out of the 2nd app, return to the 1st app, but I am still logged in. Incorrect.
4. In Wildfly, I log in to the 1st app, go to the 2nd app and I can see my login state is correct, return to the 1st app, log out of the 1st app, go to the 2nd app, and I am logged out there as well. Correct.
Why does Wildfly fail the first test (3. above)?
Any pointers would be greatly appreciated.
Here are some of the extracts from my files:
From standalone.xml
<security-realm name="DataSourceRealm">
<authentication>
<jaas name="app"/>
</authentication>
</security-realm>
<security-domain name="app" cache-type="default">
<authentication>
<login-module code="Database" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="dsJndiName" value="jdbc/icedb"/>
<module-option name="principalsQuery" value="select PASSWORD from WSV_USR_PRFL_DEF where USR_PRFL_DEF_ID=?"/>
<module-option name="rolesQuery" value="select USR_GRP_DEF_ID, 'Roles' from WSV_USR_GRP_MAP where USR_PRFL_DEF_ID = ?"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
<login-module code="RoleMapping" flag="requisite">
<module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>
<module-option name="replaceRole" value="false"/>
</login-module>
</authentication>
</security-domain>
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<single-sign-on path="/"/>
.....
from the various applications (WAR) jboss-web.xml:
<jboss-web>
<context-root>/APPNAME</context-root>
<security-domain flushOnSessionInvalidation="true">app</security-domain>
</jboss-web>
From my logout.java:
@WebServlet(name="logout", urlPatterns={"/lo.xhtml"}, loadOnStartup=2)
public class Logout extends HttpServlet{
@Override
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
if (request.getSession(false) != null) {
HttpSession ses = request.getSession(false);
ses.invalidate(); // remove session.
}
request.logout();
response.sendRedirect(request.getContextPath());
}
}