glassfish
  1. glassfish
  2. GLASSFISH-18356

HttpServletRequest.login does not work correctly with single sign on (SSO) JSESSIONIDSSO cookie is not sent.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1, 3.1.2_b21
    • Fix Version/s: 4.0_b84_RC1
    • Component/s: web_container
    • Labels:
      None
    • Environment:

      Linux, Java 1.7.0_02, Glassfish 3.1.1 Release and 3.1.2-b22

      Description

      Configure Glassfish for SSO, and add a user to the file realm from the Admin Console:

      Configurations->server-config->HTTP Service: SSO: Enabled
      Configurations->server-config->Security: Default Principal To Role Mapping: Enabled
      Configurations->server-config->Realms->file: Add a user with username: "username" password: "password" and role of "customrole"

      Deploy the attached war file. (It's inside the zip file, which contains the war and src).

      If you login using the FORM login method, (The third link) you will be logged into the web application, and receive a JSESSIONSSO cookie. So going to another web application in the same realm will not prompt for credentials.

      Logout / close browser, try to login using the HttpServletLogin method (The second link), something like http://localhost:8080/single-sign-on/login?u=username&p=password you will be logged in, but the JSESSIONIDSSO cookie is not sent. So going to another web application in the same realm will prompt for credentials.

      The JSESSIONIDSSO cookie should be sent, and navigating to another web application in the same realm should not prompt for credentials.

        Activity

        Hide
        adriaaaaan added a comment -

        Any movement on this issue? It was tagged for next release but that has come and gone. Is there any known workaround (for example creating the cookie manually?). where does the ssoid come from? Thanks

        Show
        adriaaaaan added a comment - Any movement on this issue? It was tagged for next release but that has come and gone. Is there any known workaround (for example creating the cookie manually?). where does the ssoid come from? Thanks
        Hide
        manuel_b added a comment -

        Hi everybody,
        I have the same issue. So our problem is the following: We have a sign up form on an html page. This sign up form is send to a rest servlet in a webapp. The servlets registers the user and logs the user in. After logging in the user is redirected to another web app. Now he has to reenter his just created credentials again.

        Unfortunately no JSESSIONIDSSO cookie is set by the Rest servlet.

        Show
        manuel_b added a comment - Hi everybody, I have the same issue. So our problem is the following: We have a sign up form on an html page. This sign up form is send to a rest servlet in a webapp. The servlets registers the user and logs the user in. After logging in the user is redirected to another web app. Now he has to reenter his just created credentials again. Unfortunately no JSESSIONIDSSO cookie is set by the Rest servlet.
        Hide
        adriaaaaan added a comment -

        bump? Surely this has to be considered for gf4? Theres no point in having sso if you can't use it. We login via rest and can't use sso unless this is resolved. Is there not any kind of workaround or way to set the cookie manually?

        Show
        adriaaaaan added a comment - bump? Surely this has to be considered for gf4? Theres no point in having sso if you can't use it. We login via rest and can't use sso unless this is resolved. Is there not any kind of workaround or way to set the cookie manually?
        Hide
        Shing Wai Chan added a comment -
        • What is the impact on the customer of the bug?
          SSO not working for programmatic login.
        • What is the cost/risk of fixing the bug?
          The SSO should be unregistered when it is logout.
          Also, the J2EEInstanceListener should not call the 196 logout as in 3.x.
        • Is there an impact on documentation or message strings?
          No.
        • Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
          SQE pe/security tests
        • Which is the targeted build of 4.0 for this fix?
          4.0_b84 (assuming b83 is already done)
        • If this an integration of a new version of a component from another project,
          what are the changes that are being brought in? This might be list of
          Jira issues from that project or a list of revision messages.
          N/A
        Show
        Shing Wai Chan added a comment - What is the impact on the customer of the bug? SSO not working for programmatic login. What is the cost/risk of fixing the bug? The SSO should be unregistered when it is logout. Also, the J2EEInstanceListener should not call the 196 logout as in 3.x. Is there an impact on documentation or message strings? No. Which tests should QA (re)run to verify the fix did not destabilize GlassFish? SQE pe/security tests Which is the targeted build of 4.0 for this fix? 4.0_b84 (assuming b83 is already done) If this an integration of a new version of a component from another project, what are the changes that are being brought in? This might be list of Jira issues from that project or a list of revision messages. N/A
        Hide
        Shing Wai Chan added a comment -

        While fixing another issue, part of the fix is done in svn 60610.
        The following code resolved the issue for logout.
        This completes the fix for the issue.

        Sending appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java
        Sending appserver/web/web-core/src/main/java/org/apache/catalina/Authenticator.java
        Sending appserver/web/web-core/src/main/java/org/apache/catalina/Realm.java
        Sending appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
        Sending appserver/web/web-core/src/main/java/org/apache/catalina/connector/Request.java
        Sending appserver/web/web-core/src/main/java/org/apache/catalina/realm/RealmBase.java
        Sending appserver/web/web-glue/src/main/java/com/sun/web/server/J2EEInstanceListener.java
        Sending nucleus/common/common-util/src/main/java/com/sun/enterprise/security/integration/RealmInitializer.java
        Transmitting file data ........
        Committed revision 61154.

        Show
        Shing Wai Chan added a comment - While fixing another issue, part of the fix is done in svn 60610. The following code resolved the issue for logout. This completes the fix for the issue. Sending appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java Sending appserver/web/web-core/src/main/java/org/apache/catalina/Authenticator.java Sending appserver/web/web-core/src/main/java/org/apache/catalina/Realm.java Sending appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java Sending appserver/web/web-core/src/main/java/org/apache/catalina/connector/Request.java Sending appserver/web/web-core/src/main/java/org/apache/catalina/realm/RealmBase.java Sending appserver/web/web-glue/src/main/java/com/sun/web/server/J2EEInstanceListener.java Sending nucleus/common/common-util/src/main/java/com/sun/enterprise/security/integration/RealmInitializer.java Transmitting file data ........ Committed revision 61154.

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            skrall
          • Votes:
            13 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: