1 Reply Latest reply on May 26, 2004 9:50 PM by starksm64

LoginModule order

kenh May 26, 2004 10:40 AM

Hello all,

Jboss 3.2.3 / Windows2000

I will try this post again, since it is pretty urgent:
The order of login modules is as below
1) AdbLoginModule sufficient
2) BdbLoginModule sufficient

Phase I:
AdbLoginModule.login() returns false
BdbLoginModule.login() returns true
Phase II:
AdbLoginModule.commit() - called - why is this called when login() failed?
According to my understanding of the specs, the only LoginContext commit() methods called are for those LoginModules that return true.

<application-policy name = "status">

<login-module code = "AdbLoginModule"
flag = "sufficient">
<module-option name = "datasource">ds/ePool</module-option>
</login-module>
<login-module code = "BdbLoginModule"
flag = "sufficient">
<module-option name = "datasource">ds/security</module-option>
</login-module>

</application-policy>

Thanks,
kenh

1. Re: LoginModule order

starksm64 May 26, 2004 9:50 PM (in response to kenh)

The javadocs for the javax.security.auth.spi.LoginModule.commit method clearly state the method is called when the overall login succeeds and that the login module needs to cleanup any state if it failed locally:

public boolean commit() throws LoginException
This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.
Actions