without

login-required="true"

would work, but then I will not request login

It seems it logs me in only for https scheme, but not for http session that is why it redirects me to the login page...?

So I have figured out that that https has it own session and http as well, is there an option to have them synchronized or better just one session for both schemes?

this:

<core:servlet-session invalidate-on-scheme-change="false"/>

does not work for me ;(.

PS I have Seam 2.0.3.CR1

Thanks for help

the same question and no answer? jboss discussion

Details

1) welcome page (http) -> login page (https) -> home (http) this one works

2 cookies:

localhost - JSESSIONID
content - 2ED1AC0A676B6DF12873AA6E2042D679
host - localhost
path - /
send for - Any type of connection
expires - at the end of session

localhost - org.jboss.seam.security.username
content - myLogin
host - localhost
path - /MYAPP
send for - Any type of connection
expires - (some time)

2) login page (https) -> home (http) here I stay at login page since I have 2 sessions this one does not work

3 cookies:

localhost - JSESSIONID
content - 024BA11AD0B714ED8FBC17CCEA469F4C
host - localhost
path - /CM3v2
send for - Encrypted connections only
expires - at the end of session


localhost - org.jboss.seam.security.username
content - myLogin
host - localhost
path - /MYAPP
send for - Any type of connection
expires - (some time)

localhost - JSESSIONID
content - B38B0863802952FE27B8934193791C5E
host - localhost
path - /
send for - Any type of connection
expires - at the end of session

1.when my navigation is http -> https it seems work 2.but if I go directly to https then it dies not work

1. I get 2 cookies

JSESSIONID
org.jboss.seam.security.username

2. I get 3 cookies

JSESSIONID (path /myApp) - Encrypted connections only
org.jboss.seam.security.username
JSESSIONID (path /)

Details

1) welcome page (http) -> login page (https) -> home (http) this one works

2 cookies:

localhost - JSESSIONID
content - 2ED1AC0A676B6DF12873AA6E2042D679
host - localhost
path - /
send for - Any type of connection
expires - at the end of session

localhost - org.jboss.seam.security.username
content - myLogin
host - localhost
path - /MYAPP
send for - Any type of connection
expires - (some time)

2) login page (https) -> home (http) here I stay at login page since I have 2 sessions this one does not work

3 cookies:

localhost - JSESSIONID
content - 024BA11AD0B714ED8FBC17CCEA469F4C
host - localhost
path - /CM3v2
send for - Encrypted connections only
expires - at the end of session


localhost - org.jboss.seam.security.username
content - myLogin
host - localhost
path - /MYAPP
send for - Any type of connection
expires - (some time)

localhost - JSESSIONID
content - B38B0863802952FE27B8934193791C5E
host - localhost
path - /
send for - Any type of connection
expires - at the end of session

The session ID cookies have different paths, which explains why the authenticated session is being lost. Is it a single Seam application (with a single war file) that's being deployed?

it is a single application that has a single ear file and a single war in it.

Do you have any idea why the context paths might be different? Under which path is your app deployed?

It is deployed under

localhost/MyApp

I have port 80 and 443

when I go to the login.seam

I go to

localhost/MyApp/login.seam

I never go to localhost/

I could be reproducing it over and over again.

I found that if I navigate to the login.seam via http then seam redirects to the https and it is ok. if I go to the login.seam via https directly then I get the problem.

Further up you mentioned that going from https to http one of the cookies is stored under /CM3v2 - where does this path come from?

That is my Application name (MyApp), I just did not change it here.

so if I erase all cookies and then go to https://localhost/MyApp/login.seam

I get

localhost - JSESSIONID
content - 024BA11AD0B714ED8FBC17CCEA469F4C
host - localhost
path - /MyApp 
send for - Encrypted connections only
expires - at the end of session

this is a problem.

but if I go to http://localhost/MyApp/login.seam

I get

localhost - JSESSIONID
content - B38B0863802952FE27B8934193791C5E
host - localhost
path - /
send for - Any type of connection
expires - at the end of session

which works good

the problem is that once I go to https://localhost/MyApp/login.seam and I do not have a previous cookie (http) then I cannot recover from this (have to manually erase cookies)

Shane, I have noticed that jboss-seam.jar is under app.ear and not in app.war under WEB-INF/lib. I also run my application in exploded version, can this also affect the path in the cookie?

Shane, I have noticed that jboss-seam.jar is under app.ear and not in app.war under WEB-INF/lib.

That's fine.

I also run my application in exploded version, can this also affect the path in the cookie?

I don't think that should matter, but it should be an easy thing for you to test.

Can you confirm which container you're running in?

I am running JBoss AS 4.2.3.GA - (java 6)

Can you please paste your connector configuration from deploy/jboss-web.deployer/server.xml ?

Here is the entire file:

<Server>

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />

   <!-- Use a custom version of StandardService that allows the
   connectors to be started independent of the normal lifecycle
   start to allow web apps to be deployed before starting the
   connectors.
   -->
   <Service name="jboss.web">

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector port="80" address="${jboss.bind.address}"    
         maxThreads="250" maxHttpHeaderSize="8192"
         emptySessionPath="true" protocol="HTTP/1.1"
         enableLookups="false" redirectPort="443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true" />

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!-- -->
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="${jboss.server.home.dir}/conf/.keystore"
               keystorePass="myPass"/>
    

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
         emptySessionPath="true" enableLookups="false" redirectPort="443" />

      <Engine name="jboss.web" defaultHost="localhost">

         <!-- The JAAS based authentication and authorization realm implementation
         that is compatible with the jboss 3.2.x realm implementation.
         - certificatePrincipal : the class name of the
         org.jboss.security.auth.certs.CertificatePrincipal impl
         used for mapping X509[] cert chains to a Princpal.
         - allRolesMode : how to handle an auth-constraint with a role-name=*,
         one of strict, authOnly, strictAuthOnly
           + strict = Use the strict servlet spec interpretation which requires
           that the user have one of the web-app/security-role/role-name
           + authOnly = Allow any authenticated user
           + strictAuthOnly = Allow any authenticated user only if there are no
           web-app/security-roles
         -->
         <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            allRolesMode="authOnly"
            />
         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
         behavior of JBossSecurityMgrRealm, but overrides the authorization
         checks to use JACC permissions with the current java.security.Policy
         to determine authorized access.
         - allRolesMode : how to handle an auth-constraint with a role-name=*,
         one of strict, authOnly, strictAuthOnly
           + strict = Use the strict servlet spec interpretation which requires
           that the user have one of the web-app/security-role/role-name
           + authOnly = Allow any authenticated user
           + strictAuthOnly = Allow any authenticated user only if there are no
           web-app/security-roles
         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            allRolesMode="authOnly"
            />
         -->

        <Host name="localhost"
           autoDeploy="false" deployOnStartup="false" deployXML="false"
           configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
           >

            <!-- Uncomment to enable request dumper. This Valve "logs interesting 
                 contents from the specified Request (before processing) and the 
                 corresponding Response (after processing). It is especially useful 
                 in debugging problems related to headers and cookies."
            -->
            <!--
            <Valve className="org.apache.catalina.valves.RequestDumperValve" />
            -->
 
            <!-- Access logger -->
            <!--
            <Valve className="org.apache.catalina.valves.AccessLogValve"
                prefix="localhost_access_log." suffix=".log"
                pattern="common" directory="${jboss.server.log.dir}" 
                resolveHosts="false" />
            -->

            <!-- Uncomment to enable single sign-on across web apps
                deployed to this host. Does not provide SSO across a cluster.     
            
                If this valve is used, do not use the JBoss ClusteredSingleSignOn 
                valve shown below. 
                
                A new configuration attribute is available beginning with
                release 4.0.4:
                
                cookieDomain  configures the domain to which the SSO cookie
                              will be scoped (i.e. the set of hosts to
                              which the cookie will be presented).  By default
                              the cookie is scoped to "/", meaning the host
                              that presented it.  Set cookieDomain to a
                              wider domain (e.g. "xyz.com") to allow an SSO
                              to span more than one hostname.
             -->
            <!--
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            -->

            <!-- Uncomment to enable single sign-on across web apps
               deployed to this host AND to all other hosts in the cluster.
            
               If this valve is used, do not use the standard Tomcat SingleSignOn
               valve shown above.
            
               Valve uses a JBossCache instance to support SSO credential 
               caching and replication across the cluster.  The JBossCache 
               instance must be configured separately.  By default, the valve 
               shares a JBossCache with the service that supports HttpSession 
               replication.  See the "jboss-web-cluster-service.xml" file in the 
               server/all/deploy directory for cache configuration details.
            
               Besides the attributes supported by the standard Tomcat
               SingleSignOn valve (see the Tomcat docs), this version also 
               supports the following attributes:
            
               cookieDomain   see above
            
               treeCacheName  JMX ObjectName of the JBossCache MBean used to 
                              support credential caching and replication across
                              the cluster. If not set, the default value is 
                              "jboss.cache:service=TomcatClusteringCache", the 
                              standard ObjectName of the JBossCache MBean used 
                              to support session replication.
            -->
            <!--
            <Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
            -->
         
            <!-- Check for unclosed connections and transaction terminated checks
                 in servlets/jsps.
                 
                 Important: The dependency on the CachedConnectionManager
                 in META-INF/jboss-service.xml must be uncommented, too
            -->
            <Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
                cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
                transactionManagerObjectName="jboss:service=TransactionManager" />

         </Host>

      </Engine>

   </Service>

</Server>

Yep, it seems fixed the problem ;D, you are awesome!

Thank you for helping me with it.

I owe you a beer now... ;)

If you mean on my server. I have there 3 applications that are independent of each other.