14 Replies Latest reply: Jul 12, 2013 1:59 AM by Sampath Ms RSS

Configuring a clustered SSO

Loïc Gangloff Newbie

Hello,

 

I'm trying to configure a clustered SSO in domain mode (AS 7.1.1.Final).

One host (host1) with a server node (n-a).

A second host (host2) with a server node (n-a).

 

mod_cluster is activated and works fine with Apache.

 

I have configured the web subsystem like this:

 

    <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" instance-id="${jboss.node.name}" native="false">
       ...
        <virtual-server name="default-host" enable-welcome-root="true">
            ...
            <sso cache-container="web" cache-name="sso" reauthenticate="false"/>
        </virtual-server>
    </subsystem>

 

I created a web appplication, with a servlet that displays

    A counter saved in session

    The current node: System.getProperty("jboss.node.name")

    and the remote user: req.getRemoteUser()

 

The servlet is mapped like this: @WebServlet(name="authreplservlet", urlPatterns={"/authrepl.protected","/authrepl"})

A security constraint is apply only on "*.protected" url pattern.

 

Here is my jboss-web.xml:

 

<?xml version="1.0" encoding="ISO-8859-1"?>
<jboss-web>
    <security-domain flushOnSessionInvalidation="true">
        java:/jaas/usertaskdomain
    </security-domain>
    <valve>
        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
    </valve>
</jboss-web>

 

Here is the scenario that i try:

1. Access to http://x.x.x.x/webapptest/authrepl

    => counter=1, node=host1:n-a, user=null

2. Access to http://x.x.x.x/webapptest/authrepl.protected

    => Authentication required, i post the form

    => counter=2, node=host1:n-a, user=lgf

 

3. I kill the host where i am connected: host1

 

4. Access to http://x.x.x.x/webapptest/authrepl

    => counter=3, node=host2:n-a, user=null

   

The session is correctly replicated, because the counter is not reinitialized. But not the auth information (even if i try to reaccess to authrepl.protected, the auth form is again displayed).

 

Do you have any idea of what's wrong ?

Thanks you.

  • 1. Re: Configuring a clustered SSO
    Loïc Gangloff Newbie

    I just test with the 7.1.2.Final-SNAPSHOT and i have the same problem.

     

    Does anyone tested it successfully ?

  • 2. Re: Configuring a clustered SSO
    jaikiran pai Master

    It perhaps is this issue https://issues.jboss.org/browse/AS7-4681 for which a pull request has recently been sent.

  • 3. Re: Configuring a clustered SSO
    Loïc Gangloff Newbie

    I tried the latest build again... The session replication works, but not the sso information.

  • 4. Re: Configuring a clustered SSO
    Brian Wallis Master

    The fix for that ticket is in EAP 6.0.0 ER 7 but I have no idea how that relates to the 7.1.2 overnight builds. Is there a way to track when the fix makes it into the 7.1.2 builds?

     

    thanks

  • 5. Re: Configuring a clustered SSO
    jaikiran pai Master

    If you mean this issue https://issues.jboss.org/browse/JBPAPP-8835 then see the linked issue to that JIRA, which is https://issues.jboss.org/browse/AS7-4681 and which I already pointed to in this thread. So it's supposed to be available in the latest nightly builds, but Loïc says its still reproducible. Give it a try though and if it doesn't work for you too then post an update here. I'll see if someone with more knowledge around this area can take a look.

  • 6. Re: Configuring a clustered SSO
    Brian Wallis Master

    I've just downloaded the latest nightly build and it still doesn't work. My configuration and other details are described in another forum post, https://community.jboss.org/thread/198966

     

    thanks.

  • 7. Re: Configuring a clustered SSO
    Loïc Gangloff Newbie

    Hello,

     

    i try again with the latest build, just to be sure. You can find a war attached to this thread.

     

    Here's how i reproduce it:

     

    Add this security-domain to the security subsystem:

     

            <security-domain name="ssorepl-realm" cache-type="default">
                <authentication>
                    <login-module code="UsersRoles" flag="required">
                        <module-option name="usersProperties" value="users.properties"/>
                        <module-option name="rolesProperties" value="roles.properties"/>
                    </login-module>
                </authentication>
            </security-domain>
    

      

    Add this configuration to the web subsystem, under the "virtual-server" named "default-host":

     

            <sso cache-container="web" cache-name="sso" reauthenticate="false"/>   
    

     

    Add this logger:

     

            <logger category="org.apache.catalina.authenticator">
                <level name="TRACE"/>
            </logger> 
            <logger category="org.jboss.as.clustering.web.sso">
                <level name="TRACE"/>
            </logger> 
            <logger category="org.jboss.as.clustering.infinispan">
                <level name="TRACE"/>
            </logger>
    

     

     

    And, in order to have 2 host, add this to host.xml

        <servers>
            <server name="server-one" group="other-server-group" auto-start="true">
                <socket-bindings/>
            </server>
            <server name="server-two" group="other-server-group" auto-start="true">
                <socket-bindings port-offset="250"/>
            </server>
        </servers>
    

     

    Deploy the war.

    Start JBoss in domain mode.

     

    Here are some log... SSO cache is started:

     

    [Server:server-one] 10:00:45,825 DEBUG [org.jboss.as.clustering.infinispan.subsystem] (pool-19-thread-1) sso cache started
    [Server:server-one] 10:00:45,992 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (MSC service thread 1-5) Found SingleSignOn Valve at SingleSignOn[default-host]
    ...
    [Server:server-two] 10:00:46,593 DEBUG [org.jboss.as.clustering.infinispan.subsystem] (pool-20-thread-1) sso cache started
    [Server:server-two] 10:00:46,775 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (MSC service thread 1-6) Found SingleSignOn Valve at SingleSignOn[default-host]
    

     

     

    Here are the scenario:

     

    The corresponding logs:

    [Server:server-one] 10:02:56,889 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /ssorepl/sessrepl
    [Server:server-one] 10:02:56,890 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Not subject to any constraint
    
    
    [Server:server-one] 10:03:11,455 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /ssorepl/sessrepl.protected
    [Server:server-one] 10:03:11,455 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
    [Server:server-one] 10:03:11,456 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
    [Server:server-one] 10:03:11,456 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Save request in session 'bO7SJ0pn+QWM+wJ3nongys3J'
    [Server:server-one] 10:03:11,491 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test
    
    
    [Server:server-one] 10:03:17,995 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /ssorepl/j_security_check
    [Server:server-one] 10:03:18,011 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'lgf'
    [Server:server-one] 10:03:18,138 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authentication of 'lgf' was successful
    [Server:server-one] 10:03:18,138 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Redirecting to original '/ssorepl/sessrepl.protected'
    [Server:server-one] 10:03:18,139 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test ??/ssorepl/j_security_check
    [Server:server-one] 10:03:18,142 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /ssorepl/sessrepl.protected
    [Server:server-one] 10:03:18,143 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
    [Server:server-one] 10:03:18,143 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
    [Server:server-one] 10:03:18,143 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Restore request from session 'bO7SJ0pn+QWM+wJ3nongys3J'
    [Server:server-one] 10:03:18,150 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'lgf' with type 'FORM'
    [Server:server-one] 10:03:18,174 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (http--127.0.0.1-8080-1) Registering SSO 6GAUi6rRBbcBrFvmjwfgS3JD in clustered cache
    [Server:server-two] 10:03:18,186 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a credentials modified message for SSO 6GAUi6rRBbcBrFvmjwfgS3JD
    [Server:server-one] 10:03:18,191 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (http--127.0.0.1-8080-1) addSession(): adding Session bO7SJ0pn+QWM+wJ3nongys3J to cached session set for SSO 6GAUi6rRBbcBrFvmjwfgS3JD
    [Server:server-two] 10:03:18,201 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a session modified message for SSO 6GAUi6rRBbcBrFvmjwfgS3JD
    [Server:server-two] 10:03:18,204 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a session modified message for SSO 6GAUi6rRBbcBrFvmjwfgS3JD
    [Server:server-one] 10:03:18,207 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Proceed to restored request
    [Server:server-one] 10:03:18,207 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
    [Server:server-one] 10:03:18,207 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Successfully passed all security constraints
    [Server:server-two] 10:04:00,175 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1) Security checking request GET /ssorepl/sessrepl.protected
    [Server:server-two] 10:04:00,176 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Calling hasUserDataPermission()
    [Server:server-two] 10:04:00,176 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Calling authenticate()
    [Server:server-two] 10:04:00,176 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Save request in session 'bO7SJ0pn+QWM+wJ3nongys3J'
    [Server:server-two] 10:04:00,193 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Failed authenticate() test
    
    
    [Server:server-two] 10:08:52,871 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1) Security checking request POST /ssorepl/j_security_check
    [Server:server-two] 10:08:52,872 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Authenticating username 'lgf'
    [Server:server-two] 10:08:52,892 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Authentication of 'lgf' was successful
    [Server:server-two] 10:08:52,892 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Redirecting to original '/ssorepl/sessrepl.protected'
    [Server:server-two] 10:08:52,892 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Failed authenticate() test ??/ssorepl/j_security_check
    [Server:server-two] 10:08:52,896 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1) Security checking request GET /ssorepl/sessrepl.protected
    [Server:server-two] 10:08:52,896 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Calling hasUserDataPermission()
    [Server:server-two] 10:08:52,896 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Calling authenticate()
    [Server:server-two] 10:08:52,896 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Restore request from session 'bO7SJ0pn+QWM+wJ3nongys3J'
    [Server:server-two] 10:08:52,897 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1) Authenticated 'lgf' with type 'FORM'
    [Server:server-two] 10:08:52,897 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (http--127.0.0.1-8330-1) Registering SSO 6111LMD9atSyqBeYnEnHo1Wy in clustered cache
    [Server:server-one] 10:08:52,907 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-16,null) received a credentials modified message for SSO 6111LMD9atSyqBeYnEnHo1Wy
    [Server:server-two] 10:08:52,912 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (http--127.0.0.1-8330-1) addSession(): adding Session bO7SJ0pn+QWM+wJ3nongys3J to cached session set for SSO 6111LMD9atSyqBeYnEnHo1Wy
    [Server:server-one] 10:08:52,918 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-16,null) received a session modified message for SSO 6111LMD9atSyqBeYnEnHo1Wy
    [Server:server-one] 10:08:52,918 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-16,null) received a session modified message for SSO 6111LMD9atSyqBeYnEnHo1Wy
    [Server:server-two] 10:08:52,921 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8330-1) Proceed to restored request
    [Server:server-two] 10:08:52,921 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Calling accessControl()
    [Server:server-two] 10:08:52,921 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8330-1)  Successfully passed all security constraints
    

     

    I don't understand...

     

    SSOClusterManager replicate the SSO information, but when i try to access to the second node, he does not retrieve the sso information.

  • 8. Re: Configuring a clustered SSO
    Brian Wallis Master

    Here are the scenario:

    ...

     

    SSOClusterManager replicate the SSO information, but when i try to access to the second node, he does not retrieve the sso information.

    This seems to be a different scenario from the one you originally described using modcluster and shutting down one server so the app fails over to the second one.

     

    Is it still failing with the original (failover) scenario as well?

     

    I have a similar setup and have noted the following in my logging on the current standby host. The first three messages are logged when I login to the app and the last log message occurs when I shutdown the server on which the app is currently active.

     

    It seems that the shutdown of the host on which the session is currently active is causing jboss to remove the sso cache entry on the other server.

     

    [Server:server-three] 10:57:41,097 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a credentials modified message for SSO 5yfkoY8oNY51GHWtH-sqNdTn
    [Server:server-three] 10:57:41,122 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a session modified message for SSO 5yfkoY8oNY51GHWtH-sqNdTn
    [Server:server-three] 10:57:41,124 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) received a session modified message for SSO 5yfkoY8oNY51GHWtH-sqNdTn
    [Server:server-three] 10:58:05,159 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-18,null) cacheEntryRemoved ssoId = 5yfkoY8oNY51GHWtH-sqNdTn
    

     

     

    If instead of shutting down the currently active server I do a "kill -9" then I don't get the last message about the cacheEntryRemoved and the session seems to failover OK, I can continue to use the app without having to re-authenticate. I do seem to have lost the session state though (but that might be a bug in my code, will check this).

     

    The logging I get is

     

    [Server:server-three] 11:25:37,400 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-15,null) received a credentials modified message for SSO y8kM24CUQnoWQZQlfnEE8AiG
    [Server:server-three] 11:25:37,438 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-15,null) received a session modified message for SSO y8kM24CUQnoWQZQlfnEE8AiG
    [Server:server-three] 11:25:37,441 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (OOB-15,null) received a session modified message for SSO y8kM24CUQnoWQZQlfnEE8AiG
    [Host Controller] 11:26:01,612 WARN  [org.jboss.as.domain] (Remoting "master:MANAGEMENT" read-1) JBAS010929: Connection to remote host "slave" closed unexpected
    [Host Controller] 11:26:01,613 INFO  [org.jboss.as.domain] (Remoting "master:MANAGEMENT" read-1) JBAS010925: Unregistered remote slave host "slave"
    [Server:server-three] 11:26:01,670 WARN  [org.hornetq.core.server.cluster.impl.BridgeImpl] (Thread-4 (HornetQ-client-global-threads-1911624122)) ClusterConnectionBridge@31e06dfc [name=sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445, queue=QueueImpl[name=sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445, postOffice=PostOfficeImpl [server=HornetQServerImpl::serverUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6]]@554d4f9 targetConnector=ServerLocatorImpl (identity=(Cluster-connection-bridge::ClusterConnectionBridge@31e06dfc [name=sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445, queue=QueueImpl[name=sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445, postOffice=PostOfficeImpl [server=HornetQServerImpl::serverUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6]]@554d4f9 targetConnector=ServerLocatorImpl [initialConnectors=[org-hornetq-core-remoting-impl-netty-NettyConnectorFactory?port=5695&amp;host=172-16-95-132], discoveryGroupConfiguration=null]]::ClusterConnectionImpl@1932294279[nodeUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6, connector=org-hornetq-core-remoting-impl-netty-NettyConnectorFactory?port=5695&amp;host=172-16-95-131, address=jms, server=HornetQServerImpl::serverUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6])) [initialConnectors=[org-hornetq-core-remoting-impl-netty-NettyConnectorFactory?port=5695&amp;host=172-16-95-132], discoveryGroupConfiguration=null]]::Connection failed with failedOver=false-HornetQException[errorCode=2 message=Channel disconnected]: HornetQException[errorCode=2 message=Channel disconnected]
    [Server:server-three]   at org.hornetq.core.client.impl.ClientSessionFactoryImpl.connectionDestroyed(ClientSessionFactoryImpl.java:381) [hornetq-core-2.2.16.Final.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]
    [Server:server-three]   at org.hornetq.core.remoting.impl.netty.NettyConnector$Listener$1.run(NettyConnector.java:737) [hornetq-core-2.2.16.Final.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]
    [Server:server-three]   at org.hornetq.utils.OrderedExecutorFactory$OrderedExecutor$1.run(OrderedExecutorFactory.java:100) [hornetq-core-2.2.16.Final.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]
    [Server:server-three]   at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_31]
    [Server:server-three]   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_31]
    [Server:server-three]   at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
    [Server:server-three] 
    [Server:server-three] 11:26:02,201 WARN  [org.hornetq.core.server.cluster.impl.BridgeImpl] (Thread-16 (HornetQ-server-HornetQServerImpl::serverUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6-1622178545)) Bridge sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445 achieved 1 maxattempts=0 it will stop retrying to reconnect
    [Server:server-three] 11:26:02,207 INFO  [org.hornetq.core.server.cluster.impl.BridgeImpl] (Thread-20 (HornetQ-server-HornetQServerImpl::serverUUID=429e65ab-95bd-11e1-9313-7be9d00e3ea6-1622178545)) stopped bridge sf.my-cluster.1fedddab-95bf-11e1-a79b-9bc626c56445
    [Server:server-three] 11:26:03,161 INFO  [org.jboss.as.clustering] (VERIFY_SUSPECT.TimerThread,web,master:server-three/web) JBAS010232: Suspected member: slave:server-three-slave/web
    [Server:server-three] 11:26:03,162 INFO  [org.jboss.as.clustering] (VERIFY_SUSPECT.TimerThread,ejb,master:server-three/ejb) JBAS010232: Suspected member: slave:server-three-slave/ejb
    [Server:server-three] 11:26:03,279 INFO  [org.jboss.as.clustering] (Incoming-20,null) JBAS010225: New cluster view for partition ejb (id: 20, delta: -1, merge: false) : [master:server-three/ejb]
    [Server:server-three] 11:26:03,280 INFO  [org.jboss.as.clustering] (Incoming-1,null) JBAS010225: New cluster view for partition web (id: 20, delta: -1, merge: false) : [master:server-three/web]
    [Server:server-three] 11:26:03,281 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,null) ISPN000094: Received new cluster view: [master:server-three/web|20] [master:server-three/web]
    [Server:server-three] 11:26:03,284 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,null) ISPN000094: Received new cluster view: [master:server-three/ejb|20] [master:server-three/ejb]
    [Server:server-three] 11:26:09,306 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3) Security checking request POST /multi-web/index.jsf
    [Server:server-three] 11:26:09,310 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3)  Calling hasUserDataPermission()
    [Server:server-three] 11:26:09,311 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3)  Calling authenticate()
    [Server:server-three] 11:26:09,311 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (ajp--172.16.95.131-8259-3) SSO Id y8kM24CUQnoWQZQlfnEE8AiG set; attempting reauthentication
    [Server:server-three] 11:26:09,337 TRACE [org.jboss.as.clustering.web.sso.infinispan.SSOClusterManager] (ajp--172.16.95.131-8259-3) addSession(): adding Session wM0bTObzgJ7kH9LQJWRMGTWx.2d50db7b-1d79-346c-967b-93275f4ea2af to cached session set for SSO y8kM24CUQnoWQZQlfnEE8AiG
    [Server:server-three] 11:26:09,349 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3)  Reauthenticated cached principal 'udr' with auth type 'FORM'
    [Server:server-three] 11:26:09,349 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3)  Calling accessControl()
    [Server:server-three] 11:26:09,350 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp--172.16.95.131-8259-3)  Successfully passed all security constraints
    

     

     

    In the fourth last message you can see that addSession() is referencing the same SSO session as was received from the other server (in the first three log messages).

  • 9. Re: Configuring a clustered SSO
    jaikiran pai Master

    Please try today's latest nightly build. There's one more fix that made it to that build which might help with this issue.

  • 10. Re: Configuring a clustered SSO
    Loïc Gangloff Newbie

    It still does not work.

     

    Something bothers me, this log:

    [SSOClusterManager] (http--127.0.0.1-8330-1) addSession(): adding Session bO7SJ0pn+QWM+wJ3nongys3J to cached session set for SSO 6111LMD9atSyqBeYnEnHo1Wy

     

    I have inspected the method addSession of the SSOClusterManager. It's seems that the web session is added to the sso session. (https://github.com/jbossas/jboss-as/blob/master/clustering/web-infinispan/src/main/java/org/jboss/as/clustering/web/sso/infinispan/SSOClusterManager.java at line 103)

     

    But the FormAuthenticator extracts the sso from the web session, isn't ?

    So, the SSOClusterManager doesn't should add the sso to the web session ?

     

    Sorry if i am wrong...

  • 11. Re: Configuring a clustered SSO
    jaikiran pai Master

    Thanks for testing. I've asked someone with relevant knowledge to take a look at this.

  • 12. Re: Configuring a clustered SSO
    Brian Wallis Master

    jaikiran pai wrote:

     

    Please try today's latest nightly build. There's one more fix that made it to that build which might help with this issue.

     

    I've just tried the latest one (May 8th 10:55:58 PM) and it fixes the problem I reported earlier:

     

     

    It seems that the shutdown of the host on which the session is currently active is causing jboss to remove the sso cache entry on the other server.

     

     

     

    so for me the clustered SSO seems to be working as expected now.

     

    The latest build introduced another problem but I'll create a new post for that.

     

    thanks.

  • 13. Re: Configuring a clustered SSO
    Alexey Awdonin Newbie

    Loïc Gangloff, could you please provide the source code of ssorepl.war.

  • 14. Re: Configuring a clustered SSO
    Sampath Ms Newbie

    Hi Loic Gangloff,

     

    I am trying to get ClusteredSingleSignOn valve to work using the latest available AS 7.1.1.  But i seem to be running into failure of SSO id replication.

    The problem is i cannot upgrade to the EAP version where it seems to be working fine.

     

    Is there any way, i can get the ClusteredSingleSignOn to work in AS 7.1.1?

     

    Any information would be helpful?

     

    Thanks and Regards,

    Sampath