Bug 1175380

Summary: [GSS] (6.3.z) JBoss Web SingleSignOn valve does not work with <distributable/> apps
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Aaron Ogburn <aogburn>
Component: WebAssignee: Aaron Ogburn <aogburn>
Status: CLOSED WONTFIX QA Contact: Radim Hatlapatka <rhatlapa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3.2   
Target Milestone: ---   
Target Release: EAP 6.3.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-17 21:38:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1173313    
Bug Blocks:    

Description Aaron Ogburn 2014-12-17 15:43:57 UTC 
Description of problem:

The JBoss Web SingleSignOn valve does not work with <distributable/> applications.  Replication throws a session passivation event, so every request has the sso entry destroyed at the end at replication time.

Thus when doing a logout or session invalidation, session entries tied to the SSO are not invalidated after being improperly dropped by the replication/passivation event.



Version-Release number of selected component (if applicable):

JBossWeb 7.5


How reproducible:

Very


Steps to Reproduce:
1. Use standalone-full.xml with SSO added to the web subsystem:

            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <sso reauthenticate="false"/>
            </virtual-server>

2. Deploying the applications "afsa-sample-service.war" and "afsa-ui-jboss.war"
3. Add an application user with ./add-user.sh under the frevvo.Designer group/role.
4. Launch JBoss with java 7.
5. Go to http://localhost:8080/afsa-ui-jboss/login and login
6. Open a new tab a go to http://localhost:8080/afsa-sample-service/hello.jsp
7. Go back to the first tab and logout.
8. Log back in (as the same user or a different one it doesn't matter)
9. Go to the second tab. Take notice of the timestamp that was originally generated and displayed.  Hit refresh. Notice how the timestamp doesn't change (the time is a session attribute, showing that the session wasn't invalidated after logout).

Actual results:

All sessions tied to an SSO entry are not invalidated upon logout or invalidation.


Expected results:

All sessions tied to an SSO entry are invalidated upon logout or invalidation. (But org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT has to be set true for SSO to cause invalidation just from request.logout())


Additional info:
Comment 1 Aaron Ogburn 2014-12-17 16:16:33 UTC 
PR: https://github.com/jbossas/jboss-eap/pull/2173
r2577 on JBossWeb 7.4.x