1 Reply Latest reply on Nov 28, 2004 2:33 PM by starksm64

    Fat client access results in principal=null

    jonlifton
    jonlifton Nov 28, 2004 10:52 AM



      Hi,

      We have an application that allows users to register account with an associated service plan (which maps to a specific role). The app uses a Form based authentication.
      The user is logged and authenticated/authorized against the infomration stored in tables which are populated from the account registration process.

      Jaas / DatabaseServerLoginModule is configured / set to make this work.

      Everything works perfect.

      However once the user is logged in, he can edit his account and upgrade
      his service plan and hence changes his role.

      We recommend the user to logout and relogin so that he can be authorized against his new role.

      The logoutAction is very simple.
      Just invalidate session...
      HttpSession ses = request.getSession(false);
      ses.invalidate();

      .When the user tries to login , every thing appears to be correct. except that he still inherits the old role (the role that existed when the server was started).

      This problem has an unacceptable workaround. Restart Jboss server. and the JaasSecurityManager cache is refreshed and everything works ok.


      IS there anyway that we can refresh the cache in JaasSecurityManager or invoke loginModule.logout() without restarting the server....

      I don't think that writing a custom Login Module helps. The cache seems to be deep in the container/server in JaasSecurityManager.

      Scott???
      Anyhelp will be deeply appreciated.

      Thanks in advance.

      • 3500 Views
      • Tags:
        • 1. Re: Fat client access results in principal=null
          starksm64
          starksm64 Nov 28, 2004 2:33 PM (in response to jonlifton)

          Your assumption that a Subject.doAs has any affect on the security context of the call is incorrect. A Subject does not have sufficient information for validation of the security context on the server side. There is no requirement or standard for how the proof of identity is stored in a Subject, and therefore there is no way to validate the Subject on the server side. See the JAAS Howto in this forum for more info on the client/server interaction.

            • Actions