-
1. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 9, 2002 11:06 AM (in response to coyner_b)I have just been looking at SRP and seem to be in a similar situation as you. I'm using 2.4.4 and am seeing unpredictable behaviour when using the SRPCacheLoginModule with the DatabaseLoginModule: when JBoss first starts and I run a client against it, my client is authenticated ok. Subsequently when I run clients, they succeed and fail to be authenticated without any pattern. I put some tracing into the SRPCacheLoginModule and you are correct, logout is never called so it looks like it has something to do with the TimeoutCachePolicy but i'm not 100% on this and will need to do more investigating, although it does appear that the SRPCacheLoginModule/SRPService is sometimes able to get credentials from the cache and sometimes not! Do you get intermittent authentication failures?
Cheers
Nick -
2. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
coyner_b Apr 9, 2002 11:46 AM (in response to coyner_b)I am getting the exact behavior you are seeing. The first time I login every thing is good. Then I log out, log back in and the weird behavior appears. I even went as far as writing my own SRP login module, complete with a VerifierStore implementation, but I still get the same behavior.
I looked into the SRPService code and they have hard coded the TimedCachePolicy class. So I guess this means that we cannot change the cache policy, which is totally weak.
I keep thinking that I should move to JBoss 3.0 but I am not going to be in beta forever. I will probably end up writing some custom code to clean up the cache for the a given subject, if this is even possible.
Brian -
3. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 10, 2002 6:28 AM (in response to coyner_b)Have you tried the SRP stuff in version 3? If it works then I may well move on up!
Nick -
4. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
coyner_b Apr 10, 2002 7:13 AM (in response to coyner_b)I have not tried 3.0, but I did look at the source code and the SRPLoginModule does call the server to log out. So I can only assume that the cache is being cleaned up.
Is any one using SRP in a production environment? If so how did you get around the caching problem?
Brian -
5. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 10, 2002 7:48 AM (in response to coyner_b)Just noticed 2.4.5 (RC1) has been released which fixes amongst other things a problem with the TimedCachePolicy which wasn't thread safe when it was supposed to be and vice-versa...could be the source of this strange behaviour.
Nick -
6. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 10, 2002 8:23 AM (in response to coyner_b)Oops, misread the change notes and the above applies when checking the TimedCachePolicy. Some changes have been made to the SRP stuff tho:
org/jboss/security/srp/SRPParameters.java, Add hashAlgorithm, cipherAlgorithm, and cipherIV for user sesssion encryption info.
org/jboss/security/srp/SRPServerInterface.java, Add a close method to close a user SRP session.
org/jboss/security/srp/jaas/SRPLoginModule.java, login adds the session key and SRPParameters to the Subject private credentials. logout closes the user SRP session with the server.
org/jboss/security/srp/jaas/SRPCacheLoginModule.java, login adds the session key and SRPParameters to the Subject private credentials.
Nick -
7. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
coyner_b Apr 10, 2002 8:31 AM (in response to coyner_b)These changes seem like they might fix the problems. I hope so! Where did you see the 2.4.5 release? I did not see it on their website. I will try it later this afternoon.
Brian -
8. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 10, 2002 11:02 AM (in response to coyner_b)Its at Sourceforge:
http://sourceforge.net/project/showfiles.php?group_id=22866
The changes notes are available here:
http://sourceforge.net/project/shownotes.php?release_id=83816 -
9. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 15, 2002 11:17 AM (in response to coyner_b)Just got around to trying 2.4.5 RC1. Had the class not found error and made the changes recommended in the bug report, rebuilt the jbosssx stuff and now get a "srp not bound" error. Did you come across this problem? And while we're on the subject, did the 2.4.5 changes fix the srp caching strangeness?
Nick -
10. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
coyner_b Apr 15, 2002 7:42 PM (in response to coyner_b)I am glad to hear that the bug fixes I posted worked. I assume that you looked at mine. ;-) Hopefully someone will integrate the changes.
I received the "srp not bound" exception. How I got around this was with the following snippet of code...
public void startService() throws Exception {
Context context = new InitialContext();
this.dbStore = new DatabaseVerifierStore(this.dsJndiName, this.query);
Name name = context.getNameParser("").parse(this.jndiName);
NonSerializableFactory.rebind(name, this.dbStore, true);
}
I wrote my own SRP Service MBean implementation that uses a database, which is where the above code snippet is from. The above code is a change to fix the "srp" binding bug, which does bind the "srp" name to the Context.
There is yet another bug though... which I have not yet fixed. The error is another classpath problem. Ugh!
java.lang.NoClassDefFoundError: org/jboss/security/srp/SRPParameters
Let me know if you get the same problems. I assume that once the server starts then my unit tests will pass with flying colors. ;-) Or so I hope!
Brian -
11. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
nicktaylor Apr 16, 2002 11:52 AM (in response to coyner_b)Many thanks for the tips Brian...nice touch using a database to store the credentials instead of the .ser file! I haven't tried doing the rebind myself yet but noticed that the SRPParameters.class is in jbosssx.jar, shouldn't it be in jboss-jaas.jar to avoid the NoClassDefFoundError ? I'm looking to move to 3.0 now it's at RC1 so I think this stuff will have to be put on the back burner for now.
Best of luck :)
Nick