Bug 979369 - Different behaviours of HttpSession creation with programmatic login()
Different behaviours of HttpSession creation with programmatic login()
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity high
: DR1
: EAP 6.4.0
Assigned To: Rémy Maucherat
Pavel Slavicek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-28 06:58 EDT by FIlip Bogyai
Modified: 2018-06-07 17:29 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In the previous versions of JBoss EAP 6, the behavior of HttpSession creation differs when used together with a following programmatic login: * Without SSO: session is not created while calling the `login()` method. Thus, subsequent requests are unauthenticated * With non-clustered SSO: session is created while calling the `login()` method, but the first call does not set the authentication status. The subsequent requests are unauthenticated and the user is authenticated after the second call of `login()` method, because the session is already present. * With clustered SSO: session is created while `login()` method and subsequen requests are authenticated This issue is fixed in the current version of JBoss EAP 6. The `org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION` class has a new option to always create a session.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description FIlip Bogyai 2013-06-28 06:58:55 EDT
Description of problem:
When new HttpClient send request to servlet to do programmatic login, HttpSession isn't automatically created. Authentication is successful, but credentials aren't stored and you cannot access secured resource. It is needed to call request.getSession() on servlet to initialize session and store credentials.

If Single Sing On (SSO) configuration is enabled:

1. Non-clustered SSO - after second request to login, HttpSession is automatically created and user can access secured resource

2. Clustered SSO - on first request HttpSession is automatically created 

How reproducible:

Test application
https://github.com/kwart/secured-webapp-template.git

Steps to Reproduce:

send request to
1. LoginServlet - admin/admin
2. SimpleSecuredServlet
Comment 1 Jaikiran Pai 2013-06-28 07:28:18 EDT
FYI - https://community.jboss.org/thread/200602
Comment 9 Chao Wang 2013-09-11 05:32:26 EDT
This appears in Tomcat programmatic login as well, probably inherits from there. Checking Servlet 3.1 spec chapter7.2, although a "new" session is created, its not established until client joins it. By now, I'm not quite sure when exactly client should "join" it and make session become established during the programmatic authentication process. 

For SSO situation, in AuthenticatorBase.register(), if sso is not null it ensures session association with a new SSO registration at last.
Comment 10 Jaikiran Pai 2013-09-11 05:48:31 EDT
This issue/discussion needs to be brought to the notice of the JBoss Web team, if it hasn't already been.
Comment 11 Chao Wang 2013-09-11 07:39:20 EDT
Discussed with rmaucher on IRC, programmatic-login does not create sessions, therefore, to each secured page/servlet request it's normal to require re-authentication. With SSO configured, sessions are created because of a new SSO registration needs a session to associate with(same behaviour as tomcat does) which makes the second request passes without asking to login.
Comment 12 Rémy Maucherat 2013-09-11 07:41:20 EDT
I am against any "behavior alignment" since the only possibility is to always create a session, something which has been carefully avoided so far.

Tomcat now has a new option to always create a session, disabled by default. That option can be ported.
Comment 14 Rémy Maucherat 2014-01-10 09:37:42 EST
Ported in r2336. System property to enable it is org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION
Comment 16 Kabir Khan 2014-12-05 07:21:24 EST
Seeing as this was fixed a long time ago during 6.3.0, I am setting it to ON_QA for EAP 6.4.0
Comment 17 FIlip Bogyai 2014-12-09 04:43:50 EST
Verified in EAP 6.4.0.DR12. Doc Text should be changed from Known Issue to Enhancement or Bug Fix with description of system property that enables creating sessions: org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION

Note You need to log in before you can comment on or make changes to this bug.