Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-1128

SSO is not destroyed after session timeout period of <distributable/> app.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.0.0.ER1
    • 7.0.0.DR10
    • Security, Undertow
    • None
    • Hide

      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml
      2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" />
      3. Access first application - login/password requested as expected. Login succesfull.
      4. I can access second deployed application as well. - SSO works as expected.
      5. Wait > 1 min

      6a. Non-<distributalble/> application
      Accessing first and second application requires login
      Active session count= 0. [1]
      6b. <distributalble/> application
      Accessing first and second application doesnt require login
      Active session count= 1. [2]

      Show
      1. 2 same FORM authenticated based app. Session timeout set to 1 min. Application marked <distributalble/> in web.xml 2. SSO switched on in undertow subsystem in standalone.xml using <single-sign-on path="/" /> 3. Access first application - login/password requested as expected. Login succesfull. 4. I can access second deployed application as well. - SSO works as expected. 5. Wait > 1 min 6a. Non-<distributalble/> application Accessing first and second application requires login Active session count= 0. [1] 6b. <distributalble/> application Accessing first and second application doesnt require login Active session count= 1. [2]

      Using <distributable/> application cause SSO doesnt destroy after session timeout period. Base on [1], there is still active session, what is probably cause that SSO is not destroyed.
      Setting similar in EAP6 requires user to login after session timeout period.

      Setting priority to critical because of regression with security impacts.

      [1]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
      {
      "outcome" => "success",
      "result" => 0
      }
      [2]
      [standalone@localhost:9990 /] /deployment=secured-webapp.war/subsystem=undertow:read-attribute(name=active-sessions)
      {
      "outcome" => "success",
      "result" => 1
      }

            pferraro@redhat.com Paul Ferraro
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: