Issue Details (XML | Word | Printable)

Key: GLASSFISH-18356
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Shing Wai Chan
Reporter: skrall
Votes: 13
Watchers: 11

If you were logged in you would be able to see more operations.

HttpServletRequest.login does not work correctly with single sign on (SSO) JSESSIONIDSSO cookie is not sent.

Created: 13/Feb/12 08:28 PM   Updated: 04/Apr/13 12:09 AM   Resolved: 04/Apr/13 12:09 AM
Component/s: web_container
Affects Version/s: 3.1.1, 3.1.2_b21
Fix Version/s: 4.0_b84_RC1

Time Tracking:
Not Specified

File Attachments: 1. Zip Archive (314 kB) 13/Feb/12 08:28 PM - skrall


Linux, Java 1.7.0_02, Glassfish 3.1.1 Release and 3.1.2-b22

Tags: 3_1_2-exclude 3_1_2-next 4_0-approved
Participants: adriaaaaan, javabeats, Joe Di Pol, kumara, manuel_b, Shing Wai Chan and skrall

 Description  « Hide

Configure Glassfish for SSO, and add a user to the file realm from the Admin Console:

Configurations->server-config->HTTP Service: SSO: Enabled
Configurations->server-config->Security: Default Principal To Role Mapping: Enabled
Configurations->server-config->Realms->file: Add a user with username: "username" password: "password" and role of "customrole"

Deploy the attached war file. (It's inside the zip file, which contains the war and src).

If you login using the FORM login method, (The third link) you will be logged into the web application, and receive a JSESSIONSSO cookie. So going to another web application in the same realm will not prompt for credentials.

Logout / close browser, try to login using the HttpServletLogin method (The second link), something like http://localhost:8080/single-sign-on/login?u=username&p=password you will be logged in, but the JSESSIONIDSSO cookie is not sent. So going to another web application in the same realm will prompt for credentials.

The JSESSIONIDSSO cookie should be sent, and navigating to another web application in the same realm should not prompt for credentials.

kumara added a comment - 13/Feb/12 08:40 PM

-> web_container

Shing Wai Chan added a comment - 13/Feb/12 11:32 PM

The org.apache.catalina.connector#login and #authenticate methods are quite different from Tomcat code.
In Tomcat, the logic is delegated back to Authenticator.

Security team may like to compare this with Tomcat 7 code base.

Please go through the bug fix guidelines in

Joe Di Pol added a comment - 17/Feb/12 07:52 PM

Too late to address in 3.1.2. Tagging for consideration in next release.

adriaaaaan added a comment - 20/Apr/12 09:10 AM

I'm guessing theres not going to be a 3.1.3? Is there any chance of a workaround as we've counting on using sso for some time but have been constantly prevented from doing so by endless bugs

javabeats added a comment - 20/Apr/12 01:03 PM

Agreed. A patch or update would be welcome, rather than having us all upgrade production systems in a hurry to 3.2 to finally have SSO directly from Glassfish.

adriaaaaan added a comment - 14/Sep/12 02:39 PM

Any movement on this issue? It was tagged for next release but that has come and gone. Is there any known workaround (for example creating the cookie manually?). where does the ssoid come from? Thanks

manuel_b added a comment - 27/Dec/12 11:24 AM

Hi everybody,
I have the same issue. So our problem is the following: We have a sign up form on an html page. This sign up form is send to a rest servlet in a webapp. The servlets registers the user and logs the user in. After logging in the user is redirected to another web app. Now he has to reenter his just created credentials again.

Unfortunately no JSESSIONIDSSO cookie is set by the Rest servlet.

adriaaaaan added a comment - 20/Mar/13 10:38 AM

bump? Surely this has to be considered for gf4? Theres no point in having sso if you can't use it. We login via rest and can't use sso unless this is resolved. Is there not any kind of workaround or way to set the cookie manually?

Shing Wai Chan added a comment - 03/Apr/13 06:33 PM
  • What is the impact on the customer of the bug?
    SSO not working for programmatic login.
  • What is the cost/risk of fixing the bug?
    The SSO should be unregistered when it is logout.
    Also, the J2EEInstanceListener should not call the 196 logout as in 3.x.
  • Is there an impact on documentation or message strings?
  • Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
    SQE pe/security tests
  • Which is the targeted build of 4.0 for this fix?
    4.0_b84 (assuming b83 is already done)
  • If this an integration of a new version of a component from another project,
    what are the changes that are being brought in? This might be list of
    Jira issues from that project or a list of revision messages.

Shing Wai Chan added a comment - 04/Apr/13 12:09 AM

While fixing another issue, part of the fix is done in svn 60610.
The following code resolved the issue for logout.
This completes the fix for the issue.

Sending appserver/security/webintegration/src/main/java/com/sun/web/security/
Sending appserver/web/web-core/src/main/java/org/apache/catalina/
Sending appserver/web/web-core/src/main/java/org/apache/catalina/
Sending appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/
Sending appserver/web/web-core/src/main/java/org/apache/catalina/connector/
Sending appserver/web/web-core/src/main/java/org/apache/catalina/realm/
Sending appserver/web/web-glue/src/main/java/com/sun/web/server/
Sending nucleus/common/common-util/src/main/java/com/sun/enterprise/security/integration/
Transmitting file data ........
Committed revision 61154.