1

We have a JBoss EAP 6.3 cluster with 2 nodes. We also enabled SSO.

The thing is, we got a web application that has the login form, so when the session timeout configured in web.xml expires, it redirects the user to that form. The other web applications deployed, on session timeout are redirecting to that form too.

On one hand we got the session-timeout property in web.xml for every web application, and on the other hand we got the SSO enabled in JBoss.

Is the same session timeout value on all web applications correct ? Should we ignore that value and focus on some SSO global session timeout value? Whats the best practice for configuring the session timeout of every web application in this scenario ?

Thanks guys, Regards.

Mateo
  • 75
  • 1
  • 12

1 Answers1

2

The Web session and SSO session are differents things, session is create when you access a web application and this can live without autentication. SSO allows authentication to one resource to implicitly authorize access to other resources.
Then according documentation:

How SSO Works
If a resource is unprotected, a user is not challenged to authenticate at all. If a user accesses a protected resource, the user is required to authenticate.

Upon successful authentication, the roles associated with the user are stored and used for authorization of all other associated resources.

If the user logs out of an application, or an application invalidates the session programmatically, all persisted authorization data is removed, and the process starts over.

A session timeout does not invalidate the SSO session if other sessions are still valid.

So if you want invalidate sso authtentication across cluster, you may call the method Request.logout(), for example.

SSO Configuration Options:

maxEmptyLife:
Clustered SSO only. The maximum number of seconds an SSO valve with no active sessions will be usable by a request, before expiring. A positive value allows proper handling of shutdown of a node if it is the only one with active sessions attached to the valve. If maxEmptyLife is set to 0, the valve terminates at the same time as the local session copies, but backup copies of the sessions, from clustered applications, are available to other cluster nodes. Allowing the valve to live beyond the life of its managed sessions gives the user time to make another request which can then fail over to a different node, where it activates the backup copy of the session. Defaults to 1800 seconds (30 minutes).

Se also: Use Single Sign On (SSO) In A Web Application

Another thing is not possible configure a default session-timout value in JBoss 7 (Like jboss 4, 5 and 6) so you'll have to configure this value in each application.

Eg. add in your web.xml:

<session-config>
    <session-timeout>20</session-timeout>
</session-config>

I hope this help.

Federico Sierra
  • 5,118
  • 2
  • 23
  • 36
  • Thanks Federico, one more doubt, whats with "A session timeout does not invalidate the SSO session if other sessions are still valid." ? What should happen to the user in that web application ? – Mateo Oct 31 '14 at 18:25
  • 1
    SSO is an authentication mechanism. A web session will have an associated SSO which associates the user with other application on that host or other node in a cluster. The SSO authentication is invalidate when all associated session are invalidate, is executed explicit logout, or in a shutdown. In cluster case when a session is invalidate the sso authentication is invalidate since all replicated sessions expire in the same time for a same application. – Federico Sierra Oct 31 '14 at 19:23
  • Ok, i tested this scenario: The user logs in through the web application (Portal) that has the login form (it gets two cookies, one that represents the session of the web application and another that represents the SSO session), then wait until the session of the web application expired. Unexpectedly i can navigate to another web application and get a session form that web application. That behavior is correct? Am i missing something? – Mateo Nov 05 '14 at 17:57
  • 1
    You have to see what happens to the authentication if the session has expired and not exist other web session associated with SSO, the SSO authentication is also removed. – Federico Sierra Nov 05 '14 at 18:09