14.4. Use Single Sign On (SSO) In A Web Application


Single Sign On (SSO) capabilities are provided by the web and Infinispan subsystems. Use this procedure to configure SSO in web applications.


  • A configured security domain which handles authentication and authorization.
  • The infinispan subsystem. It is present in the full-ha profile for a managed domain, or by using the standalone-full-ha.xml configuration in a standalone server.
  • The web cache-container and SSO replicated-cache. The initial configuration files already contain the web cache-container, and some of the configurations already contain the SSO replicated-cache as well. Use the following commands to check for and enable the SSO replicated-cache. Note that these commands modify the ha profile of a managed domain. You can change the commands to use a different profile, or remove the /profile=ha portion of the command, for a standalone server.

    Example 14.1. Check for the web cache-container

    The profiles and configurations mentioned above include the web cache-container by default. Use the following command to verify its presence. If you use a different profile, substitute its name instead of ha.
    If the result is success the subsystem is present. Otherwise, you need to add it.

    Example 14.2. Add the web cache-container

    Use the following three commands to enable the web cache-container to your configuration. Modify the name of the profile as appropriate, as well as the other parameters. The parameters here are the ones used in a default configuration.

    Example 14.3. Check for the SSO replicated-cache

    Run the following Management CLI command:
    Look for output like the following: "sso" => {
    If you do not find it, the SSO replicated-cache is not present in your configuration.

    Example 14.4. Add the SSO replicated-cache

    /profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=sso:add(mode="SYNC", batching=true)
  • The web subsystem needs to be configured to use SSO. The following command enables SSO on the virtual server called default-host, and the cookie domain domain.com. The cache name is sso, and reauthentication is disabled.
  • Each application which will share the SSO information must be configured to use the same <security-domain> in its jboss-web.xml deployment descriptor and the same Realm in its web.xml configuration file.
Configure Clustered or Non-Clustered SSO

Configure sso under the web subsystem in the server profile. The ClusteredSingleSignOn version is used when attribute cache-container is present, otherwise standard SingleSignOn class is used.

Example 14.5. Example Clustered SSO Configuration


Example 14.6. Example Non-Clustered SSO Configuration

Invalidate a Session

An application can programmatically invalidate a session by invoking method javax.servlet.http.HttpSession.invalidate().