2 Replies Latest reply on Oct 7, 2002 2:08 PM by tool

Deleted user can still access servlet...

kplex Oct 7, 2002 10:44 AM

Hi,
I'm using DatabaseServerLoginModule to authenticate users and am having a problem that is driving me nuts...

I can add a new user and have that picked up on the fly with that user being able to authenticate.

But, when I delete that user from the database that username and password will still authenticate even if I restart the browser to kick off a new session.

Is there anyway of turning off this user/password caching when using the j_security_check method..

If you need any more information to make sense of this problem then please just ask and I will post it, I've spent the last hour trawling the forum but can see no way round this.

Thanks in advance to anybody who can help me with this.
John

1. Re: Deleted user can still access servlet...

kplex Oct 7, 2002 10:45 AM (in response to kplex)

Oh, I'm using jboss-3.0.1_tomcat-4.0.4
Actions
2. Re: Deleted user can still access servlet...

tool Oct 7, 2002 2:08 PM (in response to kplex)

Hello,

This happening because the JBoss server caches everything known to man...and then some. Seriously, it is caching the authentication info, so when you delete the user form the database, and even if you restart the browser, then the authentication info for that deleted user still resides in the cache. Restart the server after deleting the user and try it. It should fail because restarting the server wipes out the auth. cache.

You can add a clear auth. cache call to your logout method. Thats what I have done and it works fine.
Check out http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ for more info about the auth. cache flush in 3.0.x. The jar file mentioned can be found in the server/output/lib directory of the JBoss source after you build all.
Hope this helps and good luck,
Brian
Actions

Go to original post