Red Hat Training

A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform

19.4. Use Single Sign On (SSO) In A Web Application


Single Sign On (SSO) capabilities are provided by the web and Infinispan subsystems. Use this procedure to configure SSO in web applications.


  • A configured security domain which handles authentication and access.
  • The infinispan subsystem. By default, it is present in all the profiles for managed domain and standalone server.
  • The web cache-container and SSO replicated-cache. The initial configuration files already contain the web cache-container, and some of the configurations already contain the SSO replicated-cache as well. Use the following commands to check for and enable the SSO replicated-cache. Note that these commands modify the ha profile of a managed domain. You can change the commands to use a different profile, or remove the /profile=ha portion of the command, for a standalone server.

    Example 19.1. Check for the web cache-container

    The profiles and configurations mentioned above include the web cache-container by default. Use the following command to verify its presence. If you use a different profile, substitute its name instead of ha.
    If the result is success the subsystem is present. Otherwise, you need to add it.

    Example 19.2. Add the web cache-container

    Use the following three commands to enable the web cache-container to your configuration. Modify the name of the profile as appropriate, as well as the other parameters. The parameters here are the ones used in a default configuration.

    Example 19.3. Check for the SSO replicated-cache

    Run the following Management CLI command:
    Look for output like the following: "sso" => {
    If you do not find it, the SSO replicated-cache is not present in your configuration.

    Example 19.4. Add the SSO replicated-cache

    /profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=sso:add(mode="SYNC", batching=true)
Configure Clustered SSO for a Managed Domain

The web subsystem needs to be configured to use SSO. The following command enables SSO on the virtual server called default-host, and the cookie domain The cache name is sso, and reauthentication is disabled.
Each application which will share the SSO information must be configured to use the same <security-domain> in its jboss-web.xml deployment descriptor and the same Realm in its web.xml configuration file.
Configure Clustered or Non-Clustered SSO for a Standalone Server

Configure sso under the web subsystem in the server profile. The ClusteredSingleSignOn version is used when attribute cache-container is present, otherwise standard SingleSignOn class is used.

Example 19.5. Example Non-Clustered SSO Configuration

Invalidate a Session

An application can programmatically invalidate a session by invoking method javax.servlet.http.HttpSession.invalidate().