Password change - flush JAAS cache without logout?
johndickson Oct 11, 2002 3:14 AMHi all
JBoss 3.0.3 - Tomcat 4.0.5
We've implemented flushing of the JAAS cache (via JMX) as recommended in this forum, so that a user's password change is picked up immediately. The problem is that the change is both immediate and catastrophic - on the next HTTP request, the user's authenticated principal has gone, so Tomcat attempts to re-authenticate. This fails, because Tomcat uses the old password, which is associated with the user's session (see stack trace below).
We tried doing a direct login with the new password via LoginContext - this succeeds, but the new password is not associated with the user's session, so the next HTTP request still fails. The only other thing I can think of is to kill the user's session and force them to log in again, but that's a bit draconian.
Does anyone know of a way to either replace the authenticated principal/subject with a new one (obtained via LoginContext), or to update the password stored against the session? Any pointers appreciated.
Cheers .................. JD
Stack trace for the authentication failure on subsequent HTTP request:
2002-10-11 14:19:15,355 DEBUG [org.jboss.security.plugins.JaasSecurityManager.easy-mpi] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:147)
at java.lang.reflect.Method.invoke(Native Method)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:664)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:599)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:596)
at javax.security.auth.login.LoginContext.login(LoginContext.java:523)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:381)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:347)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:215)
at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:173)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1027)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125)
at java.lang.Thread.run(Thread.java:479)