2 Replies Latest reply on Apr 10, 2003 12:00 PM by ngandriau

    Preventing 2 active sessions with same user account

    ngandriau

      Hi,

      Sorry if this question has already been answered, but I cannot find any reference in the forum.

      We are using JBoss 3.0.6 with Tomcat 4.1.18 to deploy our web application and we use JAAS with the org.jboss.security.auth.spi.DatabaseServerLoginModule.

      Everything works fine, but our customer would like to prevent the possibility to have 2 active sessions on the application opened by the same user account.

      The first idea is to use a listener on the session life cycle and check if there is not already a session using the same useraccount. If yes, invalidate the old session. But when the session is created, the user is not yet logged in. We think it would be better if we could be notified by the login module when a successful login is done. But we cannot find any API to do that.
      Is there an official solution? Do we have to sub class the DatabaseServerLoginModule?
      We would really appreciate if someone who has already done that or used another solution, could share it with us.

      Thank you in advance

        • 1. Re: Preventing 2 active sessions with same user account

          You _have_ to solve this in the web layer. Trying to solve it in the login module is doomed to fail, because a jaas login is something completely different from a client login. In an EJB container/server, there is no notion of a user session. When a call on an EJB is made, the user is not logging in: his credentials are checked. Because of JBoss' security manager caching policy, the user login happens to lead to just one call of the login module, but this is - in a way - just coincidence. Trying to count the logins in the login module will leave you with undeterministic behaviour an ejb calls failing because of missing security context.

          So you somehow have to hook into the web login. I think a possible solution would be to redirect the submit of the login form to a custom servlet that checks the not-login-twice property and then forwards to the standard (jetty) login url...

          Hth,
          Peter.

          • 2. Re: Preventing 2 active sessions with same user account
            ngandriau

            Hi and thank you for your answer.

            After my post I digged in the LoginModule code of JBoss and effectively I arrived to the same conclusion. So we have implemented it in the web application layer.

            But it raises a new question. Imagine that you want to implement the following login policy :
            If a user try to log 3 times with the same userAccount but a Bad Password, the userAccount is deactivated temporarily. It is one of our long term requirement, but since the very beggining of the project I was thinking of implementing it in the LoginModule, as for the single signed on ;-)
            Now I think there is no way to implement this policy in the web application, because it is not aware of loggin failure...
            What do you think would be the best way to implement it.

            Thank you.

            Nicolas GANDRIAU