4 Replies Latest reply on May 24, 2003 9:19 AM by petertje

    Web Authentication (Help)

    jecardenas
    jecardenas Apr 28, 2003 5:34 PM

      For user authentication in my application, I'm using DataBaseLoginModule.

      I have an use case that lets change password in the database. It works OK, but JBoss lets the authentication working with the previous password (for all the user sessions that I start) until I use in a session the new password. After that, the authenticacion works only with the new password.

      How can I force JBoss to refresh inmediatly this information about users and passwords when I have changed this in the database ???

      thanks a Lot!!


      Jk

      • 2840 Views
      • Tags:
        • 1. Re: Web Authentication (Help)
          petertje Apr 28, 2003 5:55 PM (in response to jecardenas)

          JBoss is caching security credentials, so you must flush the cache. This can be done using JMX. If you search this forum i'm pretty sure you'll find a code sample of how to do that.

          Hth,
          Peter.

            • Actions
          • 2. Re: Web Authentication (Help)
            jecardenas
            jecardenas Apr 28, 2003 6:32 PM (in response to jecardenas)

            Thank you, I hope to find this forum to resolve my problem.

            Thank you for you suggestion.

              • Actions
            • 3. Re: Web Authentication (Help)
              sebesp
              sebesp May 21, 2003 3:15 PM (in response to jecardenas)

              Hi, I had the same problem.
              The reason is that when Tomcat authenticates, the login info is stuck to the thread, NOT the session. The thread pool does reuse mechanism des the rest....

              I found a solution in:
              http://www.luminis.nl/publications/websecurity.html

              Anyway, I'd like to know if someone used another method, maybe more "automatic". For instance, configure JBoss to attach Jaas security to each session "instead" each thread...

              Thanks in advance.
              Regards

                • Actions
              • 4. Re: Web Authentication (Help)
                petertje May 24, 2003 9:19 AM (in response to jecardenas)

                I'm afraid you didn't understand the article you are refering to. The article is about using custom _non-standard_ web security (the "write it all yourself approach").

                When you are using normal standard web security, specifiying security constraints in web.xml and jboss-web.xml, of course different security contexts are managed correctly by jboss/jetty/tomcat.

                So what you are asking for, "automatic attaching security to sessions", it is already there.

                Moreover, the problem mentioned in the original post is a typical caching problem and has certainly nothing to do with thread pooling etc.

                Cheers,
                Peter.

                  • Actions