Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1593129

Summary: [GSS](6.4.z) loginmodule.logout() is not invoked when session replicated
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Hisanobu Okuda <hokuda>
Component: WebAssignee: jboss-set
Status: CLOSED CURRENTRELEASE QA Contact: Peter Mackay <pmackay>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.19CC: bmaxwell, chaowan, dcihak, jmason, pmackay, rmaucher, rstancel
Target Milestone: CR1   
Target Release: EAP 6.4.21   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:44:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1567790, 1609003    
Attachments:
Description Flags
bz1593129.zip none

Description Hisanobu Okuda 2018-06-20 07:11:50 UTC
Description of problem:

The jaas login module's logout() method is not invoked when SAML global logout.

Version-Release number of selected component (if applicable):

EAP 6.4.19

How reproducible:


Steps to Reproduce:

1. copy the attached standalone.xml to JBOSS_HOME/standalone/config/
2. copy the attached picketlink-federation-saml-idp-basic-jboss-eap.war to JBOSS_HOME/standalone/deployments/
3. copy the attached picketlink-federation-saml-sp-post-basic-jboss-eap.war to JBOSS_HOME/standalone/deployments/
4. start EAP6, and attach debugger setting breakpoint org.jboss.security.auth.spi.SimpleServerLoginModule.logout()
5. access http://localhost:8080/sales-post/
6. login as guest/guest
7. click "Click to LogOut"
8. you will see that the break point does not hit.

Actual results:

org.jboss.security.auth.spi.SimpleServerLoginModule.logout() is not invoked.


Expected results:

org.jboss.security.auth.spi.SimpleServerLoginModule.logout() is invoked.

Additional info:

<distributable/> is set in web.xml in picketlink-federation-saml-idp-basic-jboss-eap.war. In this case, ClusteredSession is used.

Stack trace:
  [1] org.jboss.as.web.session.ClusteredSession.invalidate (ClusteredSession.java:622)
  [2] org.apache.catalina.session.StandardSessionFacade.invalidate (StandardSessionFacade.java:150)
  [3] org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler$IDPLogOutHandler.handleRequestType (SAML2LogOutHandler.java:254)
  [4] org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler.handleRequestType (SAML2LogOutHandler.java:104)
  [5] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage (AbstractIDPValve.java:879)
  [6] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage (AbstractIDPValve.java:461)
  [7] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke (AbstractIDPValve.java:408)
  [8] org.jboss.as.web.security.SecurityContextAssociationValve.invoke (SecurityContextAssociationValve.java:169)
  [9] org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:151)
  [10] org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:97)
  [11] org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:102)
  [12] org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:343)
  [13] org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:856)
  [14] org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process (Http11Protocol.java:656)
  [15] org.apache.tomcat.util.net.JIoEndpoint$Worker.run (JIoEndpoint.java:926)
  [16] java.lang.Thread.run (Thread.java:748)

The ClusteredSession#invaludate() does not invoke principal.logout() which leads to the login module's logout().

On the other hand, commenting <distributable/>, StandardSession is used. The StandardSession#invalidate() invokes principal.logout(). Then the login module's logout() method is invoked. It is an expected behavior.

Stack trace:
  [1] org.jboss.security.auth.spi.SimpleServerLoginModule.logout (SimpleServerLoginModule.java:93)
  [2] sun.reflect.NativeMethodAccessorImpl.invoke0 (native method)
  [3] sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
  [4] sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
  [5] java.lang.reflect.Method.invoke (Method.java:498)
  [6] javax.security.auth.login.LoginContext.invoke (LoginContext.java:755)
  [7] javax.security.auth.login.LoginContext.access$000 (LoginContext.java:195)
  [8] javax.security.auth.login.LoginContext$4.run (LoginContext.java:682)
  [9] javax.security.auth.login.LoginContext$4.run (LoginContext.java:680)
  [10] java.security.AccessController.doPrivileged (native method)
  [11] javax.security.auth.login.LoginContext.invokePriv (LoginContext.java:680)
  [12] javax.security.auth.login.LoginContext.logout (LoginContext.java:628)
  [13] org.jboss.security.authentication.JBossCachedAuthenticationManager.logout (JBossCachedAuthenticationManager.java:571)
  [14] org.jboss.as.web.security.JBossGenericPrincipal.logout (JBossGenericPrincipal.java:95)
  [15] org.apache.catalina.session.StandardSession.expire (StandardSession.java:728)
  [16] org.apache.catalina.session.StandardSession.expire (StandardSession.java:644)
  [17] org.apache.catalina.session.StandardSession.invalidate (StandardSession.java:1,092)
  [18] org.apache.catalina.session.StandardSessionFacade.invalidate (StandardSessionFacade.java:150)
  [19] org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler$IDPLogOutHandler.handleRequestType (SAML2LogOutHandler.java:254)
  [20] org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler.handleRequestType (SAML2LogOutHandler.java:104)
  [21] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage (AbstractIDPValve.java:879)
  [22] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage (AbstractIDPValve.java:461)
  [23] org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke (AbstractIDPValve.java:408)
  [24] org.jboss.as.web.security.SecurityContextAssociationValve.invoke (SecurityContextAssociationValve.java:169)
  [25] org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:151)
  [26] org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:97)
  [27] org.jboss.as.web.sso.ClusteredSingleSignOn.invoke (ClusteredSingleSignOn.java:384)
  [28] org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:102)
  [29] org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:343)
  [30] org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:856)
  [31] org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process (Http11Protocol.java:656)
  [32] org.apache.tomcat.util.net.JIoEndpoint$Worker.run (JIoEndpoint.java:926)
  [33] java.lang.Thread.run (Thread.java:748)

ClusteredSession#invalidate() need the code to invoke principal.logout() as follows:

            // Call the logout method
            if (principal instanceof GenericPrincipal) {
                GenericPrincipal gp = (GenericPrincipal) principal;
                try {
                    gp.logout();
                } catch (Exception e) {
                    manager.getContainer().getLogger().error(MESSAGES.sessionLogoutException(), e);
                }
            }

Comment 3 Hisanobu Okuda 2018-07-05 03:44:18 UTC
Sorry I forgot the attachment. Please find the files in the attached bz1593129.zip. The dirty fix on my setup resolves the issue.

Comment 4 Hisanobu Okuda 2018-07-05 03:44:59 UTC
Created attachment 1456640 [details]
bz1593129.zip