6 Replies Latest reply on Sep 13, 2004 11:14 AM by starksm64

    CustomLoginModule does not work because of cache?

    gksands

      Hi,

      I have written a CustomLoginModule extending from DatabaseServerLoginModule. This custom login module overirdes login and logout methods. In these methods it first calls the super class methods to finish of first level authentication. On the top of that, if super class calls go through fine, the custom login module performs some other authentication.
      Everything works fine. But the custom login module is executed only once for every user name. If I open another browser and try to login with the same name i used before and giving correct password, the custom login module is not even invoked.

      I was wondering if anyone could explain why this is happening.My guess is that JBoss maintains cache of the username/password.

      Can anyone suggest how to overcome this?

      Thank you,
      Sony

        • 1. Re: CustomLoginModule does not work because of cache?

          See JaasSecurityManagerMBean, it allows you to configure the cache, including timeout. Notice that disabling it completely will have a performance effect on your application.

          • 2. Re: CustomLoginModule does not work because of cache?
            gksands

            I really do not want to disable cache.
            I do not want to use my own security proxy as well, because what I am trying to acheive is in addition to the functionalities already provided by the JBoss Login modules.
            Is there any other way to get around this?

            Thank you,
            Sony

            • 3. Re: CustomLoginModule does not work because of cache?
              jbriscoe

              Did you ever find a solution to this problem? I am having the same problem and I don't want to set the cach to 0.

              Thanks,
              Jacob

              • 4. Re: CustomLoginModule does not work because of cache?
                starksm64

                If you want the login modules to execute every time an authentication request is needed, you have to disable the cache. You can't have it both ways. Explain why you don't want the cache disabled if you want the login modules to execute?

                • 5. Re: CustomLoginModule does not work because of cache?
                  jbriscoe

                  I don't want to set the cache to 0 because, I need a running list of authenticated users on the server. But at the same time I need the server to attempt to authenticate when a login is requested and the username and password is already authenticated. I think the JBoss or Tomcat code looks like this (hypothetically) when j_security_check is requested :

                  // 1) Check: same user login
                  if(listOfUsers.getUsername().equals("newUsernameLogin")){
                  // 1a) Re-Init user session of found user....
                  }else{
                  // 2) Check: against datasource for valid username and/or password...
                  // 2a) If ok; then proceed and create NEW session.
                  }

                  The reason I need to do this is to check if a user is already logged in from another location. I can think of about a 1000 other ways of performing this check, but I believe this should be handled better on the Application Server side, in this case JBoss.

                  Thanks,
                  Jacob

                  • 6. Re: CustomLoginModule does not work because of cache?
                    starksm64

                    So your coupling the list of active users to the cache. To ask that the cache maintains the user list and then is ignored in terms of deciding whether the login module stack should be executed is not a reasonable expectation as far as I can see. You can certainly maintain your own list, or write your own cache implementation. See chap 8 in the online manual for more info on the latter.