10 Replies Latest reply on Jun 9, 2015 5:17 AM by Marcial Atiénzar Navarro

    Problem storing session objects with SSO activated

    Marcial Atiénzar Navarro Newbie

      Hello,

       

      We've an application with "n" webapps. All are connected with SSO by wildfly. On client, we've a pooling connection every minute to retrieve all new notices to user. The session timeout of every servlet is 30 minutes.

       

      When we create the session we put on it a map, updating it every request with new values.

       

      The application use rest(wildfly implementarion) with ajax to call to server.

       

      After 30 minutes, I see on logs that the session is destroyed and I lost my map on the session.

       

      It's correct this behavior?

       

      Lot of thanks,

       

           Marcial

        • 1. Re: Problem storing session objects with SSO activated
          Marcial Atiénzar Navarro Newbie

          The pooling is only on webapp. This webapp don't destroy the session, the others yes.

          • 2. Re: Problem storing session objects with SSO activated
            Paul Ferraro Master

            I don't fully understand what you're trying to do.  Can you post the relevant code/configuration?

            • 3. Re: Problem storing session objects with SSO activated
              Marcial Atiénzar Navarro Newbie

              We've this config on standalone-full.xml to SSO:

              <subsystem xmlns="urn:jboss:domain:undertow:1.2">
                          <buffer-cache name="default" buffers-per-region="2048" max-regions="100"/>
                          <server name="default-server">
                              <http-listener name="default" socket-binding="http" max-post-size="100000000"/>
                              <host name="default-host" alias="localhost">
                                  <filter-ref name="Cache-Control"/>
                                  <filter-ref name="Expires"/>
                                  <filter-ref name="Pragma"/>
                                  <single-sign-on path="/" http-only="true" cookie-name="SESSIONSSO"/>
                              </host>
                          </server>
                          <servlet-container name="default" default-encoding="UTF-8">
                              <jsp-config/>
                              <websockets/>
                          </servlet-container>
                          <filters>
                              <response-header name="Cache-Control" header-name="Cache-Control" header-value="private, no-cache, no-store, must-revalidate"/>
                              <response-header name="Expires" header-name="Expires" header-value="-1"/>
                              <response-header name="Pragma" header-name="Pragma" header-value="no-cache"/>
                              <gzip name="gzipfilter"/>
                          </filters>
                      </subsystem>
              

               

              The cookie name is SESSIONSSO, but in Firefox I see this:

              cookie.png

              The name is JSESSIONIDSSO


              In webapp we've this jboss-web.xml

               

              <?xml version="1.0" encoding="UTF-8"?>
              <jboss-web version="8.0" xmlns="http://www.jboss.org/j2ee/schema/"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                         xsi:schemaLocation="http://www.jboss.org/j2ee/schema/jboss-web_8_0.xsd" >
                  <security-domain flushOnSessionInvalidation="true">kyrianAuthRealm</security-domain>
                  <disable-audit>true</disable-audit>
                  <context-root>/kyrian</context-root>
                  <default-encoding>UTF-8</default-encoding>
                  <max-active-sessions>2000</max-active-sessions>
              </jboss-web>
              

               

              In a WebListener, we've  this method:

               

              @Override
              
                  public void sessionCreated(HttpSessionEvent httpSessionEvent) {
              
                      
              
                      KyrianUser usrKyrian = (KyrianUser)httpSessionEvent.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);
              
              
                      if(usrKyrian == null){
              
                          String manageSession = httpSessionEvent.getSession().getServletContext().getInitParameter("MANAGE_KYRIAN_SESSION");
              
                          if("S".equalsIgnoreCase(manageSession)){
              
                              usrKyrian = sessionCtx.getSessionInformation();
              
                              if(usrKyrian != null) {
              
                                  // Actualizamos el valor de la sesión para obtenerlo en el resto de llamadas
              
                                  httpSessionEvent.getSession().setAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER, usrKyrian);
              
                              }
              
                          }
              
              
                      }
              
                  }
              

               

              The listener has this header:

               

              @WebListener("Listener de kyrian para las gestiones de la sesión")
              
              public class KyrianSessionListener implements HttpSessionListener,HttpSessionIdListener,
              
                      ServletContextListener,HttpSessionActivationListener,
              
                      HttpSessionBindingListener,HttpSessionAttributeListener 
              

               

              On client side, we've a timer every minute to see if the user has new notifications. With this aproach the session is always keep alive on this webapp. But, after 30 min, the session are destroyed, I see it on sessionDestroyed method, and the attribute that we've put on session is null.

               

               

              I've this WebFilter to getSessionAttribute and set new values to a RequestScope Bean:

               

              @WebFilter(urlPatterns = "*")
              
              public class KyrianSessionFilter implements Filter {
              
                  @Inject
              
                  private KyrianSessionContext sessionCtx;
              
                  @Inject
              
                  private KyrianRequestContext requestCtx;
              
                  @Inject
              
                  private Logger log;
              
                  @Override
              
                  public void init(FilterConfig filterConfig) throws ServletException {
              
                  }
              
                  @Override
              
                  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
              
                      if (servletRequest instanceof HttpServletRequest) {
              
                          HttpServletRequest request = ((HttpServletRequest) servletRequest);
              
                          String instanceSessionId = request.getHeader(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);
              
                          if (instanceSessionId != null ) {
              
                              KyrianUser usrSession = (KyrianUser) request.getSession().getAttribute(CommonConstant.INSTANCE_SESSION_OPERTION_HEADER);
              
                              if(log.isInfoEnabled()) {
              
                                  log.info("ID DE SESION {} / {}", instanceSessionId,request.getRequestURI());
              
                              }
              
                              if(usrSession != null) {
              
                                  // Añadimos a la request la información del Perfil asociado al instanceSessionId
              
                                  requestCtx.setUsrSession(usrSession);
              
                                  requestCtx.setInstanceId(instanceSessionId);
              
                              }
              
                          } else {
              
                              if(log.isDebugEnabled()) {
              
                                  log.debug("SIN ID DE SESION");
              
                              }
              
                          }
              
                      }
              
                      filterChain.doFilter(servletRequest, servletResponse);
              
                  }
              
                  @Override
              
                  public void destroy() {
              
                      log.info("DESTROY DEL FILTRO CON EL IDE DE LA INSTANCIA DE SESION DEL USUARIO");
              
                  }
              
              }
              
              • 5. Re: Problem storing session objects with SSO activated
                Marcial Atiénzar Navarro Newbie

                If I will not change SSO cookie name it will work?

                • 6. Re: Problem storing session objects with SSO activated
                  Paul Ferraro Master

                  I'm still a little confused as to what you're trying to do.  SSO only allows sharing of authenticated state across multiple web application of the same host.  Each web application will still use separate web sessions, which will expire independently.  Is that your expected behavior?

                  • 7. Re: Problem storing session objects with SSO activated
                    Marcial Atiénzar Navarro Newbie

                    Yes. But I've an Ajax request on every webapp for no lost session at 30 min. But after 30 min all sessions of webapps are destroyed and the session attribute is lost, but if the user refresh the page or call another rest petition it works, but the session attribute are lost.

                    • 8. Re: Problem storing session objects with SSO activated
                      Marcial Atiénzar Navarro Newbie

                      sorry, i'll try to explain me. the solution that doesn't work:

                      - only one web-app is pooling to server. After 30 min all sessions are destroyed and the session attributes are lost. But how the sso is activated, the user can continue working on app, but with errors because the session attribute are removed from session.

                       

                      the solution that works:

                      - pooling in all webapp applications

                      - removing all cookies on login page

                       

                      in 9.0 I see that we can shared session between webapps, but what about session timeout? If it expires in one session, will expires in others. Or if in a one session it restores the timeout to 30 min, it will be restored to all the other sessions?

                      • 9. Re: Problem storing session objects with SSO activated
                        Paul Ferraro Master

                        Every web application would have to poll the server, otherwise, those web sessions (they are separate, even though they share authenticated state) will expire if they are not accessed after 30 minutes.

                         

                        Yes, in WF9, you can optionally share sessions across all web applications within a given host.  In this case, for a given user, calls to HttpServletRequest.getSession() will effectively return the same object for all web applications.  In this case, you only need to poll one webapp to prevent session expiration for any application.

                        • 10. Re: Problem storing session objects with SSO activated
                          Marcial Atiénzar Navarro Newbie

                          Last question about this:

                          • When I perform a logout on webapp with sso, what about the others cookies of the other webapps. Why I need to remove all cookies from all webapps to perfom a clean login before user authenticates?
                          • Can I make pooling with websocket, or this sessions are distinct from http sessions?