3 Replies Latest reply on Jan 7, 2003 1:54 PM by mike99

    Password change - flush JAAS cache without logout?

    johndickson

      Hi all

      JBoss 3.0.3 - Tomcat 4.0.5

      We've implemented flushing of the JAAS cache (via JMX) as recommended in this forum, so that a user's password change is picked up immediately. The problem is that the change is both immediate and catastrophic - on the next HTTP request, the user's authenticated principal has gone, so Tomcat attempts to re-authenticate. This fails, because Tomcat uses the old password, which is associated with the user's session (see stack trace below).

      We tried doing a direct login with the new password via LoginContext - this succeeds, but the new password is not associated with the user's session, so the next HTTP request still fails. The only other thing I can think of is to kill the user's session and force them to log in again, but that's a bit draconian.

      Does anyone know of a way to either replace the authenticated principal/subject with a new one (obtained via LoginContext), or to update the password stored against the session? Any pointers appreciated.

      Cheers .................. JD

      Stack trace for the authentication failure on subsequent HTTP request:
      2002-10-11 14:19:15,355 DEBUG [org.jboss.security.plugins.JaasSecurityManager.easy-mpi] Login failure
      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:147)
      at java.lang.reflect.Method.invoke(Native Method)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:664)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:599)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:596)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:523)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:381)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:347)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:215)
      at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)
      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:173)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1027)
      at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125)
      at java.lang.Thread.run(Thread.java:479)

        • 1. Re: Password change - flush JAAS cache without logout?
          chgrimm

          could you attach the source for your jmx solution.
          cache flushing is an issue also on our project task list.

          so i'd like to have a look and if necessary debug the jboss source to figure out, what's going on ( and of cource to tell you afterwards what i found out ).

          Christoph

          • 2. Re: Password change - flush JAAS cache without logout?
            luist

            Hi All, JD's away so I'll reply for him... The code that we're using to clear the cache is below. However, as JD mentioned, the clearing of the cache seems to work, but Tomcat is keeping the userName/password in the session somewhere...

            Thanks...

            Luis

            // Code
            serverName= InetAddress.getLocalHost().getHostName();
            connectorName = "jmx:" +serverName+ ":rmi";
            RMIAdaptor server;
            server= (RMIAdaptor) new InitialContext().lookup(connectorName);
            ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
            Object[] params = {m_domainName};
            String[] signature = {"java.lang.String"};
            server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

            • 3. Re: Password change - flush JAAS cache without logout?
              mike99

              I would also be interested if anybody has any solutions to this problem as I am facing exactly the same issue.

              My only work around is to NOT flush the cache when the users password is updated. This means that when JAAS trys to validate the user on the next HTTP request using the old password in the session it will be able to validate the principle because the old password is stored in the cache.

              However this is not ideal as the user will still be able to login with his old password until the cache is refreshed.

              Regards

              Mike