Description of problem: The JBoss Web SingleSignOn valve does not work with <distributable/> applications. Replication throws a session passivation event, so every request has the sso entry destroyed at the end at replication time. Thus when doing a logout or session invalidation, session entries tied to the SSO are not invalidated after being improperly dropped by the replication/passivation event. Version-Release number of selected component (if applicable): JBossWeb 7.5 How reproducible: Very Steps to Reproduce: 1. Use standalone-full.xml with SSO added to the web subsystem: <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> <sso reauthenticate="false"/> </virtual-server> 2. Deploying the applications "afsa-sample-service.war" and "afsa-ui-jboss.war" 3. Add an application user with ./add-user.sh under the frevvo.Designer group/role. 4. Launch JBoss with java 7. 5. Go to http://localhost:8080/afsa-ui-jboss/login and login 6. Open a new tab a go to http://localhost:8080/afsa-sample-service/hello.jsp 7. Go back to the first tab and logout. 8. Log back in (as the same user or a different one it doesn't matter) 9. Go to the second tab. Take notice of the timestamp that was originally generated and displayed. Hit refresh. Notice how the timestamp doesn't change (the time is a session attribute, showing that the session wasn't invalidated after logout). Actual results: All sessions tied to an SSO entry are not invalidated upon logout or invalidation. Expected results: All sessions tied to an SSO entry are invalidated upon logout or invalidation. (But org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT has to be set true for SSO to cause invalidation just from request.logout()) Additional info:
PR: https://github.com/jbossas/jboss-eap/pull/2173 r2577 on JBossWeb 7.4.x