Hello everyone. I have a critical problem.
After a few months testing some web systems with single sing on with picketlink, we finally deployed those systems to production environment.
There are 7 SPs on the same single sign on. What happens is that it works fine most of the time, but sometimes, when we access one of the Sps it appears a different user. The method FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal() in the Sp returns another completely different user.
I can’t find anything wrong, it is configured exactly like the sales and idp examples. I tried to change to form and redirect, but with both I get the same problems.
It is kind of hard to get this error; I would guess that if I login about 30 times I get one error like this. Of course it is extremely critical and we are on the verge of taking it out of production and back to the old login way. (We used single sign on with a very old version of JOSSO.
This problem never happened while in homologation phase, and we used it a lot in homologation environment for a few months.
I am using picketlink 2.0.2, with 2 systems in JBoss 6 and other 5 in JBoss 5. Those are government systems in a Portal and they have got a lot of access in production.
If necessary I can send the configurations I have, but there is not out of ordinary. Although it probably has nothing to do with the problem, the only difference I can think of is that because we were afraid of time sync issues because of network latency, I configured the systems in the JBoss 6 with a time skew like this:
<Option Key="CLOCK_SKEW_MILIS" Value="2000"/>
The servers are almost synchronized, but there is a difference in milliseconds between them. The other systems are all in the same machine and have no time skew.
I am getting out of ideas and desperate. It would be a huge problem to stop using single sign on with picketlink now. Any clue and I would be very grateful. As it is a government site open to public, if somebody wants I can give the address and even create a user for test.
Thank you in advance,
Just to make it clear, although it is a completely unrelated user, it is a proper user in the database. It seems as if the idp sometimes returns another user who is possibly also logged in at the same time.
The idp uses a DatabaseServerLoginModule realm. Again, nothing out of ordinary in its configuration.
If there is anything else I can say to help to understand the problem let me know.
Pedro Igor, it really was configured with the default cache:
But would not the cache just mean that for a specific user, if he logs again, it will use the cache to return this same user and not try to get its credentials or roles again? But the cache would not return another user if I log with my user, or am I wrong?
I don’t know, the problem is that we took it off from production environment as it was too critical, and in homologation so far I just can’t reproduce the error.
Anyway, I will keep trying to reproduce it. If I can get the error in homologation, then I will try without any caching too see if it is the problem.
I will post here back if I have any answer. Thanks for the idea.
Stefan, actually I don't remember to receive any complaints or to get myself this error in the Sps deployed in the AS6, just in the AS5, although I am not sure if it is just coincidence because the applications in the JBoss5 are way more accessed and there are 5 of them against just 2 in the AS6.
But it could be possible. Maybe the problem just happened in AS5. As I said we took it out of production, but I will try to get this error in homologation or development environment to try to narrow it down.
If anybody has any other idea to help me I would be thankful as I have yet not given up. It still would be great if we could get those systems up on picketlink. Thank you all.
You are right. It is just something that first came in my mind. Give it a try, this problems is quite strange and this is just an idea.
Did you try to create a load test ? Maybe this problems happens when you increase the user load.
I have a test plan using JMeter that uses a CSV to retrieve some users/pass, authenticate them and asserts if the logged user is the expected. Let me know if you need it.
See the attachments.
This test plan was used for me to do some tests using the PicketLink Quickstarts: idp.war and employee.war. You have to change it to your needs. As you are using JSF, maybe you need to record some interactions before running the tests.
I hope it can be useful as a start point.
Also, try to find some similar issue in the AS forum.