Reputation: 31
Wildfly SSO Logout Not Working - Session is Still Valid
I am running Wildfly and am having issues with the invalidating the session upon user logout. I have set up a custom database login module and that works, but the logout functionality does not. I have pasted the relevant standalone.xml, jboss-web.xml and my servlet logout code.
The issue is that the session does not get invalidated after logout. Using the same JSESSIONIDSSO cookie, the user can still access pages that require roles even after logging out. I have tested that the roles are working properly - prior to login, pages requiring roles are inaccessible. After login, they are accessible. After logout, they are still accessible.
Has anyone else experienced these issues or do you know what has been misconfigured on my end?
standalone.xml
<security-domain name="myname-form" cache-type="default">
<authentication>
<login-module code="com.myname.DatabaseModLoginModule" flag="sufficient">
<module-option name="securityDomain" value="jsse-myname"/>
<module-option name="verifier" value="com.myname.X509Verifier"/>
<module-option name="dsJndiName" value="java:/jdbc/myds"/>
<module-option name="rolesQuery" value="exec h_Get_UserRoles ?, 1"/>
<module-option name="fieldToSearchMap" value="CN=TEST"/>
<module-option name="logQuery" value="exec h_Log_login_Attempt ?,?"/>
<module-option name="certLogDir" value="C:\tools\wildfly\standalone\log\failedcerts"/>
</login-module>
</authentication>
</security-domain>
jboss-web.xml
<jboss-web>
<security-domain flushOnSessionInvalidation="true">myname-form</security-domain>
<valve>
<class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
</valve>
<context-root>/myname-form</context-root>
</jboss-web>
ServletLogout.java
public class LogoutServlet extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", new java.util.Date().toString());
if (request.getSession(false) != null) {
request.getSession(false).invalidate();
}
if (request.getSession() != null) {
request.getSession().invalidate();
}
request.logout();
response.sendRedirect(request.getScheme()+"://"+request.getServerName());
}
}
Upvotes: 3
Views: 7246
Answers (3)
Reputation: 2415
Seems like it relates to this JIRA issue, which is not resolved yet in Wildfly 8, but only in 9.
Upvotes: 0
Reputation: 1732
I had the same problem.
I've updated from Wildfly8.1.0.Final to Wildfly8.2.0.Final and the problem has gone.
Upvotes: 0
Reputation: 140
I am using Wildfly-8.1 and I had also many issues with SSO. First of all, as previously stated, you will need to flush the cache manually when the session is destroyed:
@WebListener
public class SessionListener implements HttpSessionListener {
@Resource(name = "java:jboss/jaas/app/authenticationMgr")
private CacheableManager<?, Principal> authenticationManager;
@Override
public void sessionCreated(HttpSessionEvent httpSessionEvent) {
}
@Override
public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
// Flushes credentials.
Principal principal = (Principal) httpSessionEvent.getSession()
.getAttribute("principal");
if (principal != null) {
authenticationManager.flushCache(principal);
}
}
}
Wildfly has switched default web container to Undertow, so valve cannot be used anymore. You can delete that part from your jboss-web.xml
To enable SSO you need to edit the standalone.xml and add the "single-sign-on" option in the undertow subsystem (SSO is configured per host):
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
But is still not enough, as I had to logout twice to be able to logout. After following and discussing on this forum: Wildfly SSO, does it support session timeout and logout? I had to patch the Undertow module with the fixes on this forum and install it in Wildfly-8.1
Upvotes: 4
Related Questions
- Need help regarding Wildfly 9 SSO
- Session issue in Wildfly 10.1.0
- Session not invalidated properly, throwing "Session is invalid"
- Session sharing on WildFly is not working
- Jboss Wildfly not closing connections when not in use
- Wildfly 9 session expired but no authentication unless browser closed
- Wildfly caches roles after logout in a web application
- Wildfly 8 Session Problems in multi-virtual-host configurations
- managed bean logout not working
- Spring security logout over https not working