6 Replies Latest reply on Apr 22, 2002 8:20 PM by coyner_b

    JBoss caches username and password when authenticate ?

    quan

      Hi all,

      In my web app, when I use DatabaseServerLoginModule or LdapLoginModule to authenticate users, maybe JBoss has cached the usernames and passwords, therefore, when I modify username, password or even delete a user from database (or LDAP), the user still can login using the old username, password. Only when I restart JBoss, the user is completely removed (can't login anymore). Any idea is welcome.

      Thanks and regards!

      Quan

        • 1. Re: JBoss caches username and password when authenticate ?
          jwkaltz

          Yes, JBoss caches valid credentials (= username and password which were verified by your login module).
          It must do this, because otherwise your login module would be called on every EJB method call, and not just the first time - that would slow down your application considerably.

          Sorry I don't know more - I think the credentials cache has a timeout, which you can probably set (but you wouldn't want it too short), but I am not sure about this.

          • 2. Re: JBoss caches username and password when authenticate ?
            quan

            Thanks jwkaltz ! Yes, you're right, and that happens in the same session, and Jboss should keep the valid credential in the session context and the user doesn't have to authenticate anymore. But when I start a new session (open a new browser and login), the last credential still exists (althought I removed it from database) and the removed user still log into my system.

            Quan

            • 3. Re: JBoss caches username and password when authenticate ?
              pkghosh

              Hi,

              I am experiencing the same problem. I think caching by JBOSS is fine. But there should be a way to invalidate the cache.

              I have a dummy ejb method called login() that gets called for authenticating users. Currently the the method is a no op. The only solution that I have been able to come up with is to pass the user credentials to the ejb login() method and do checking there. But I don't want to do authentication twice once by JBOSS and once directly by my login() method.

              I am hoping that there will be a more elegant solution.

              Pranab

              • 4. Re: JBoss caches username and password when authenticate ?
                thedarksavant

                What I've discovered is that if you log in using the new password, the old password will not authenticate anymore.

                We've also found that the credentials timeout when not used for about 15 minutes. I have not discovered where this timeout is set.

                You can also force the crendetials to reset by restarting JBoss.

                • 5. Re: JBoss caches username and password when authenticate ?
                  rlynn

                  Another option is to clear the cache manually by invoking the SecurityManager MBean. However, this clears the Authentication for all users. Does anyone know if there are plans to add a method to clear single user credentials within a domain cache?

                  Ralph

                  • 6. Re: JBoss caches username and password when authenticate ?
                    coyner_b

                    JBoss 2.4.5RC1 fixes the caching problems. BUT there are classpath issues with this release. So to get the fixes you will need to checkout and build Branch_2_4 from CVS. Branch_2_4 fixes the problems, or at least problems with the SRP Caching scheme. If you need help let me know.

                    Brian