The link works fine for me.
The web.xml has:
The jboss-web.xml looks like:
when I wanted to access any page after 1 minute of the 1st login, I requested to fill the login info. again.
but when I logged in again, my login module wasn't executed at all, jboss authenticated me based on its cache!
did I miss any thing! or is there any thing wrong in above configs!
I'm having similar problems with JBoss 3.2.6 when I'm trying to logout
a user. I have Tomcat SSO enabled. Here's a log printout of what's happening:
09:22:28,173 INFO [STDOUT] logoutSession get principal
09:22:28,173 INFO [STDOUT] logoutSession principal: testuser
09:22:28,173 INFO [STDOUT] JSESSIONIDSSO is removed, redirecting to Welcome page.
09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals before flush: [testuser]
09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals after flush: 
09:22:28,183 INFO [STDOUT] SMWelcomeForm constructor end
09:22:28,203 INFO [Engine] SingleSignOn[localhost]: Process request for '/Welcome.faces'
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for SSO cookie
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for cached principal for F34A9CDB06E28C1717F229131FC4FAC3
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Found cached principal 'testuser' with auth type 'FORM'
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Associate sso id F34A9CDB06E28C1717F229131FC4FAC3 with session StandardSession[4A91ACBA9C484E245E1817D9E0385260]
So the jboss authentication cache flush seems to work correctly but the SingleSignonValve still allows login without re-authentication.
How can the re-authentication be forced with SSO enabled?
I have the same problem when using SSO with JBoss 3.2.5. I flush the JAAS cache programatic. Without using SSO this works fine. When I enable SSO the cache still gets flushed however, the user isn't re-authenticated. Has anyone got a solution to this problem?
If you add the attribute 'requireReauthentication="true"' to the SingleSignOn valvel element in server.xml, all requests will be passed to the security Realm for authentication. If the security manager's cache has been flushed, the authentication request will come through to your login module.
A timeout of a session will not invalidate the SSO (unless it was the only session associated with the SSO), so the user will not be asked for their credentials. The credentials cached in the SSO will be used. But the request will go to your login module.