Hello everyone,
I have strange problem. Let me explain it.
I have 2 web applications (just .war's), on single Glassfish, SSO enabled. Both are using one realm, configured in glassfish, which is JDBC realm, taking accounts/roles from database(MySQL). This all configuration is working nicely.
Then I used programmatic login for one application - very usefull in registration scenario - user registers himself and after submitting, the application will login him programmaticaly with currently entered information. Again, no problem.
Little problem was with logout. I discovered that possibly invalidate session and remove SessionID cookie and SSO session id cookie will definitely logout user. However sometimes it gets strange behaviour (login in one application, then go to second, there logout, going back into the first... and sometimes the user is still logged). But the basic login is working, which is enough... (who does care much about logout. just close the browser :) )
BUT then.
Roles for the first web application and second web application are different. Let's say ROLE_A for app A and ROLE_B for app B. (mentioned in web.xml and properly mapped to the db values in sun-web.xml)
In both web.xml's are defined two security constraints. One is specific for the application and mapps concrete URL which are secured for the specific role. Second constraint is the same in both web.xml's and restricts login and logout URL's for both roles
like this :
A.web.xml
<security-constraint>
<display-name>Constraint A user</display-name>
<web-resource-collection>
<web-resource-name>aaa</web-resource-name>
<description/>
<url-pattern>/app/whatever</url-pattern>
<url-pattern>/app/whateverelse</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_A</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint login</display-name>
<web-resource-collection>
<web-resource-name>anybody login</web-resource-name>
<description/>
<url-pattern>/login</url-pattern>
<url-pattern>/logout</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_A</role-name>
<role-name>ROLE_B</role-name>
</auth-constraint>
</security-constraint>
Similar in B.web.xml
In both applications the registration is required. Registration takes different information in both applications, that's why registration is specific. The only shared info is login. (sso)
If user first registers in one application (and automatically gets logged), then is going into the second, the application discovers he already has login, but no registration in second application. And redirects him to registrationB page. The second registration adds role into db and must now re-login the user, to take the new role into account.
This is the problem.
I did many tries, several ways. (it gives new point of view on small logout problem:)) I tried programmatic logout and invalidate session and then programmatic login again. It wasn't working. As it seems, in web application, if you ask request.isUserInRole(), he is in both roles (ROLE_A and ROLE_B). However when user accesses any secured page in the second application, the glassfish says access denied. I looked into detailed logs and it seems that it has to do something with SSO. ('Checking for cached principal for 8BB64D....', 'Found cached principal 'username' with auth type 'FORM' in realm 'jdbcrealm'') It seems that glassfish is reusing the old authentication. This is strange. If you ask in web app, he has the role, but then glassfish fails. :/
However I needed solution. I tried to clear sessionid cookie and sso session id cookie. Wow. It works, logout was successfull. Glassfish wasn't reusing cached info anymore. But now programmatic login is not working. It is there, it writes - login successfull, but the user is not logged in and when accesses secured page, the login form appears and he must fill it.
(even strange, the same programmatic login code works when doing plain registration - in both applications. It really has to do something with SSO cookie, I think)
I did try almost every possible combination and spent nearly two weeks on this. I don't know what else I could try to get this working.
Question is - how to re-authenticate to web-application without displaying the login form, when already logged in another application but without the appropriate role... (complicated to describe, but I hope the description above is understandable).
Thanks a lot for any information about reauthentication, refreshing info in glassfish (cached principal), or logout with sso.
[Message sent by forum member 'bob4mar' (bob4mar)]
http://forums.java.net/jive/thread.jspa?messageID=332769