3 Replies Latest reply on Mar 2, 2007 6:17 PM by Sohil Shah

    JBOSS SSO on JBOSS4.0.5 and Vista

    Nipun Batra Newbie


      I have a strange issue, I have 4 applications

      Application 1, Running on Vista and JBOSS 4.0.5
      Applocation 2,3,4 Running on Win XP and JBOSS 4.0.3

      Note: I have updated tomcat patch on JBOSS 4.0.5

      The issue whcih I am facing is like following

      A) If I login into Application 1 and from there I go to partner applications (2,3,4) SSO does not work.

      On Further investigation I found that, when I login to Application 1 I do get SSO Token however the mement I go to partner sites I get Logout token. Dont know why.

      Another strange thing is ..... if I login first into Application 2,3,4 (any) and then go to application 1 or any other partner website, SSO works fine

      The second strange thing I noticed

      If I start my jboss fresh(4.0.5 where Apllication 1 is running) and login into Application 1 and then go to partner applications (2,3,4) SSO works fine only for the first time. After this if I open another browser and do the same steps SSO does not work.

      Any suggestions

      Thanks in advance

        • 1. Re: JBOSS SSO on JBOSS4.0.5 and Vista
          Sohil Shah Master


          from the sounds of the scenario, looks like for some reason the token issued when logging into application 1 is not being trusted when logging into site 2,3,4.

          The trust server is a component of the federation server.

          Couple of things I can suggest is:

          If all the four sites are running in the same domain, make sure there is only one instance of the Federation Server running on this domain (Federation Server has the trust component).

          Also, in the jboss-sso.sar/conf/sso.cfg.xml, make sure all four sites are pointing to this Federation Server for the trust component.

          Also can you provide details on what browser on which OS and what version you are using to test this.

          Also, did you try running Application 1 in Vista on JBoss-4.0.3 and see?

          Just some things to isolate the issue


          • 2. Re: JBOSS SSO on JBOSS4.0.5 and Vista
            Roshan Newbie

            This is what the sso process does.

            When a login request is sent. The first response back to the browser is a redirect to the context root.
            This doesn't have the token cookie in the response.
            The web application has a welcome page which forwards internally.
            From the looks of it it seems as if the app server is streaming content back to the browser immediately.

            I put a breakpoint in SSOTokenManager inside the
            It got hit twice immediately.
            The second request was for a css file in the page that was being streamed back. (Note the browser had not yet displayed the resulting page.) Looks like IE starts processing as soon as it gets any content.

            Now we have 2 requests in there to generate the token.

            The TokenManager now calls JBOSSSingleSignOn to generate the token (getTokenSecret method.)

            The federation server now ends up with 2 requests for the same principal id.
            It generates one token and returns it for one request.
            The second request comes in and it generates a second token replacing the eariler one.
            However now the browser has the earlier token with it.
            So when you connect to a different app the federation server doesn't find the token since its hashmap now has the new value.

            Looking at the code, I was thinking that maybe we should synchronize the
            generateSecret method in org.jboss.security.federation.service.Trust
            and make it return an existing secret value if it find one. Only if it doesn't find one then generate a new one.
            That's my 2 cents worth.

            Hope this helps


            • 3. Re: JBOSS SSO on JBOSS4.0.5 and Vista
              Sohil Shah Master


              You are correct. There needs to be a way to synchronize token generation and cookie creation with concurrent AJAX usecases.

              Although, synchronizing the token generation method can slow the server down very much and not scale.

              I will have to look at the code and figure out the best way to synchronize this without paying a high price for performance

              Look at this JIRA task to track the progress: