11 Replies Latest reply on Apr 16, 2002 11:52 AM by nicktaylor

    SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)

    coyner_b

      I have concerns that the SRP Login Modules are not performing any clean up when a user logs out. JBoss appears to only clean up the client SRP login modules without calling the SRPCacheLoginModule to remove the user's generated SRP credentials from the cache. Thus causing a second attempt at logging in and accessing secured EJBs to fail because the client side sees a new user, but the server side sees the user as being in the cache. Which of course fails because the credentials are not in sync. I did some digging around in the 3.0 code and noticed that the SRPLoginModule (clientside) was calling across to the server to clean up the cache, or so it appears.

      Any thoughts?

      Brian

        • 1. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
          nicktaylor

          I have just been looking at SRP and seem to be in a similar situation as you. I'm using 2.4.4 and am seeing unpredictable behaviour when using the SRPCacheLoginModule with the DatabaseLoginModule: when JBoss first starts and I run a client against it, my client is authenticated ok. Subsequently when I run clients, they succeed and fail to be authenticated without any pattern. I put some tracing into the SRPCacheLoginModule and you are correct, logout is never called so it looks like it has something to do with the TimeoutCachePolicy but i'm not 100% on this and will need to do more investigating, although it does appear that the SRPCacheLoginModule/SRPService is sometimes able to get credentials from the cache and sometimes not! Do you get intermittent authentication failures?

          Cheers
          Nick

          • 2. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
            coyner_b

            I am getting the exact behavior you are seeing. The first time I login every thing is good. Then I log out, log back in and the weird behavior appears. I even went as far as writing my own SRP login module, complete with a VerifierStore implementation, but I still get the same behavior.

            I looked into the SRPService code and they have hard coded the TimedCachePolicy class. So I guess this means that we cannot change the cache policy, which is totally weak.

            I keep thinking that I should move to JBoss 3.0 but I am not going to be in beta forever. I will probably end up writing some custom code to clean up the cache for the a given subject, if this is even possible.

            Brian

            • 3. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
              nicktaylor

              Have you tried the SRP stuff in version 3? If it works then I may well move on up!

              Nick

              • 4. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                coyner_b

                I have not tried 3.0, but I did look at the source code and the SRPLoginModule does call the server to log out. So I can only assume that the cache is being cleaned up.

                Is any one using SRP in a production environment? If so how did you get around the caching problem?

                Brian

                • 5. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                  nicktaylor

                  Just noticed 2.4.5 (RC1) has been released which fixes amongst other things a problem with the TimedCachePolicy which wasn't thread safe when it was supposed to be and vice-versa...could be the source of this strange behaviour.

                  Nick

                  • 6. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                    nicktaylor

                    Oops, misread the change notes and the above applies when checking the TimedCachePolicy. Some changes have been made to the SRP stuff tho:

                    org/jboss/security/srp/SRPParameters.java, Add hashAlgorithm, cipherAlgorithm, and cipherIV for user sesssion encryption info.

                    org/jboss/security/srp/SRPServerInterface.java, Add a close method to close a user SRP session.

                    org/jboss/security/srp/jaas/SRPLoginModule.java, login adds the session key and SRPParameters to the Subject private credentials. logout closes the user SRP session with the server.

                    org/jboss/security/srp/jaas/SRPCacheLoginModule.java, login adds the session key and SRPParameters to the Subject private credentials.

                    Nick

                    • 7. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                      coyner_b

                      These changes seem like they might fix the problems. I hope so! Where did you see the 2.4.5 release? I did not see it on their website. I will try it later this afternoon.

                      Brian

                      • 8. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                        nicktaylor
                        • 9. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                          nicktaylor

                          Just got around to trying 2.4.5 RC1. Had the class not found error and made the changes recommended in the bug report, rebuilt the jbosssx stuff and now get a "srp not bound" error. Did you come across this problem? And while we're on the subject, did the 2.4.5 changes fix the srp caching strangeness?

                          Nick

                          • 10. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                            coyner_b

                            I am glad to hear that the bug fixes I posted worked. I assume that you looked at mine. ;-) Hopefully someone will integrate the changes.

                            I received the "srp not bound" exception. How I got around this was with the following snippet of code...

                            public void startService() throws Exception {

                            Context context = new InitialContext();

                            this.dbStore = new DatabaseVerifierStore(this.dsJndiName, this.query);
                            Name name = context.getNameParser("").parse(this.jndiName);
                            NonSerializableFactory.rebind(name, this.dbStore, true);
                            }

                            I wrote my own SRP Service MBean implementation that uses a database, which is where the above code snippet is from. The above code is a change to fix the "srp" binding bug, which does bind the "srp" name to the Context.

                            There is yet another bug though... which I have not yet fixed. The error is another classpath problem. Ugh!
                            java.lang.NoClassDefFoundError: org/jboss/security/srp/SRPParameters

                            Let me know if you get the same problems. I assume that once the server starts then my unit tests will pass with flying colors. ;-) Or so I hope!

                            Brian

                            • 11. Re: SRPCacheLoginModule? Right or Wrong (JBoss 2.4.4)
                              nicktaylor

                              Many thanks for the tips Brian...nice touch using a database to store the credentials instead of the .ser file! I haven't tried doing the rebind myself yet but noticed that the SRPParameters.class is in jbosssx.jar, shouldn't it be in jboss-jaas.jar to avoid the NoClassDefFoundError ? I'm looking to move to 3.0 now it's at RC1 so I think this stuff will have to be put on the back burner for now.

                              Best of luck :)

                              Nick