Wildfly SSO Logout Not Working - Session is Still Valid

Question


I am running Wildfly and am having issues with the invalidating the session upon user logout. I have set up a custom database login module and that works, but the logout functionality does not. I have pasted the relevant standalone.xml, jboss-web.xml and my servlet logout code.

The issue is that the session does not get invalidated after logout. Using the same JSESSIONIDSSO cookie, the user can still access pages that require roles even after logging out. I have tested that the roles are working properly - prior to login, pages requiring roles are inaccessible. After login, they are accessible. After logout, they are still accessible.

Has anyone else experienced these issues or do you know what has been misconfigured on my end?

standalone.xml

<security-domain name="myname-form" cache-type="default">
    <authentication>
        <login-module code="com.myname.DatabaseModLoginModule" flag="sufficient">
            <module-option name="securityDomain" value="jsse-myname"/>
            <module-option name="verifier" value="com.myname.X509Verifier"/>
            <module-option name="dsJndiName" value="java:/jdbc/myds"/>
            <module-option name="rolesQuery" value="exec h_Get_UserRoles ?, 1"/>
            <module-option name="fieldToSearchMap" value="CN=TEST"/>
            <module-option name="logQuery" value="exec h_Log_login_Attempt ?,?"/>
            <module-option name="certLogDir" value="C:\tools\wildfly\standalone\log\failedcerts"/>
        </login-module>
    </authentication>
</security-domain>

jboss-web.xml

<jboss-web>
  <security-domain flushOnSessionInvalidation="true">myname-form</security-domain>
  <valve>
    <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
  </valve>
  <context-root>/myname-form</context-root>
</jboss-web>

ServletLogout.java

public class LogoutServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {

        response.setHeader("Cache-Control", "no-cache, no-store");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Expires", new java.util.Date().toString());

        if (request.getSession(false) != null) {
          request.getSession(false).invalidate();
        }
        if (request.getSession() != null) {
          request.getSession().invalidate();
        }

        request.logout();
        response.sendRedirect(request.getScheme()+"://"+request.getServerName());
    }
}


Answer


I am using Wildfly-8.1 and I had also many issues with SSO. First of all, as previously stated, you will need to flush the cache manually when the session is destroyed:

@WebListener
public class SessionListener implements HttpSessionListener {

    @Resource(name = "java:jboss/jaas/app/authenticationMgr")
    private CacheableManager<?, Principal> authenticationManager;

    @Override
    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {

        // Flushes credentials.
        Principal principal = (Principal) httpSessionEvent.getSession()
                .getAttribute("principal");
        if (principal != null) {
            authenticationManager.flushCache(principal);
        }
    }
}

Wildfly has switched default web container to Undertow, so valve cannot be used anymore. You can delete that part from your jboss-web.xml

To enable SSO you need to edit the standalone.xml and add the "single-sign-on" option in the undertow subsystem (SSO is configured per host):

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    <buffer-cache name="default"/>
    <server name="default-server">
        <http-listener name="default" socket-binding="http"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <filter-ref name="server-header"/>
            <filter-ref name="x-powered-by-header"/>
            <single-sign-on path="/"/>
        </host>
    </server>
    <servlet-container name="default">
        <jsp-config/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
    <filters>
        <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
        <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
    </filters>
</subsystem>

But is still not enough, as I had to logout twice to be able to logout. After following and discussing on this forum: Wildfly SSO, does it support session timeout and logout? I had to patch the Undertow module with the fixes on this forum and install it in Wildfly-8.1