from the sounds of the scenario, looks like for some reason the token issued when logging into application 1 is not being trusted when logging into site 2,3,4.
The trust server is a component of the federation server.
Couple of things I can suggest is:
If all the four sites are running in the same domain, make sure there is only one instance of the Federation Server running on this domain (Federation Server has the trust component).
Also, in the jboss-sso.sar/conf/sso.cfg.xml, make sure all four sites are pointing to this Federation Server for the trust component.
Also can you provide details on what browser on which OS and what version you are using to test this.
Also, did you try running Application 1 in Vista on JBoss-4.0.3 and see?
Just some things to isolate the issue
This is what the sso process does.
When a login request is sent. The first response back to the browser is a redirect to the context root.
This doesn't have the token cookie in the response.
The web application has a welcome page which forwards internally.
From the looks of it it seems as if the app server is streaming content back to the browser immediately.
I put a breakpoint in SSOTokenManager inside the
It got hit twice immediately.
The second request was for a css file in the page that was being streamed back. (Note the browser had not yet displayed the resulting page.) Looks like IE starts processing as soon as it gets any content.
Now we have 2 requests in there to generate the token.
The TokenManager now calls JBOSSSingleSignOn to generate the token (getTokenSecret method.)
The federation server now ends up with 2 requests for the same principal id.
It generates one token and returns it for one request.
The second request comes in and it generates a second token replacing the eariler one.
However now the browser has the earlier token with it.
So when you connect to a different app the federation server doesn't find the token since its hashmap now has the new value.
Looking at the code, I was thinking that maybe we should synchronize the
generateSecret method in org.jboss.security.federation.service.Trust
and make it return an existing secret value if it find one. Only if it doesn't find one then generate a new one.
That's my 2 cents worth.
Hope this helps
You are correct. There needs to be a way to synchronize token generation and cookie creation with concurrent AJAX usecases.
Although, synchronizing the token generation method can slow the server down very much and not scale.
I will have to look at the code and figure out the best way to synchronize this without paying a high price for performance
Look at this JIRA task to track the progress: