Incorrect credentials after successful Authentication
jkuhn Oct 16, 2003 12:50 AMI'm seeing some odd behaviour upon successful logins.
It seems that no matter how many times I log in and then
log out, the credentials of the user that has been authenticated
will always match those of the first user that logged in after
JBoss had been restarted.
I have implemented a typical login/JAAS strategy, where I allow
the user to enter username and password in a login form, authenticate
them, and then put their username and password onto the session.
This username and password is then re-logged in prior to the execution
of all servlets by using a filter.
Everything is working fine (from a functional perspective). However,
I've noticed that my debug output is reporting that the credentials of
the user who is currently logged in are always the same as the credentials
of the user that first logged into the application. This is illustrated in
the following code snippet. You'll notice that I'm printing the username
and password, and then I'm logging in, and then I'm printing the principals:
. try {
. session = httpRequest.getSession();
. username = (String) session.getAttribute(ADMIN_USER);
. password = (String) session.getAttribute(ADMIN_PWD);
. synchronized (callbackHandler) {
. System.out.println("username='"+username+"'");
. System.out.println("password='"+password+"'");
. callbackHandler.setUsername(username);
. callbackHandler.setPassword(password);
. loginCtx.login();
. System.out.println("JaasServices: user authenticated.");
. it = loginCtx.getSubject().getPrincipals().iterator();
. while (it.hasNext()) { // display user info in server output.
. o = it.next();
. System.out.println("principal: " + o.getClass().getName() + " "
+ o);
. }
. }
. chain.doFilter(request, response);
. } catch (LoginException le) {
. System.out.println("JaasServices: user not authenticated." + le);
. } finally {
. try {
. loginCtx.logout();
. System.out.println("JaasServices: logout.");
. } catch (LoginException le) {
. System.out.println("JaasServices.logout(): logout failed: " + le);
. }
. }
I have two users in my JAAS tables. One is called "admin", and the
other is 'jkuhn'. Each of these has entries in the roles table, and have
permissions that will allow access to all of the beans in the application.
When I start up the application, and then attempt to login as "admin",
I get the following output for every servlet that is executed:
username='admin'
password='admin'
JaasServices: user authenticated
principal: org.jboss.security.NestableGroup Roles(members:Admin)
principal: org.jboss.security.SimplePrincipal admin
And I will continue to see this output for the duration of the session.
Now, when I log out, close the browser, and then try to log in as 'jkuhn',
I see the odd behaviour. My server output now begins to look like this:
username='jkuhn'
password='jkuhn'
JaasServices: user authenticated
principal: org.jboss.security.NestableGroup Roles(members:Admin)
principal: org.jboss.security.SimplePrincipal admin
Notice that the output is reporting that the user has been authenticated,
yet the principals being reported immediately after authentication
do not match those of the username and password that were logged in.
Has anyone got any ideas on why this could be happening?