5 Replies Latest reply on Dec 8, 2005 6:19 PM by brian.stansberry

flushing cache on session timeout!

belal Apr 4, 2005 11:25 AM

Hi,

How can I flush the JAAS authentication cache upon session timeout in JBOSS 4.0.1?

I tried what is there in this link, but it doesn't work!!!

http://www.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

Any help please!

1. Re: flushing cache on session timeout!

starksm64 Apr 4, 2005 2:25 PM (in response to belal)

The link works fine for me.
Actions
2. Re: flushing cache on session timeout!

belal Apr 5, 2005 2:02 AM (in response to belal)

The web.xml has:
..
<session-config>
<session-timeout>1</session-timeout>
</session-config>
..

The jboss-web.xml looks like:
<jboss-web>
<security-domain flushOnSessionInvalidation="true">
java:/jaas/TatSecurityDomain
</security-domain>
</jboss-web>

when I wanted to access any page after 1 minute of the 1st login, I requested to fill the login info. again.

but when I logged in again, my login module wasn't executed at all, jboss authenticated me based on its cache!

did I miss any thing! or is there any thing wrong in above configs!
please advise!
Actions
3. Re: flushing cache on session timeout!

mikoskin Apr 5, 2005 2:44 AM (in response to belal)

I'm having similar problems with JBoss 3.2.6 when I'm trying to logout
a user. I have Tomcat SSO enabled. Here's a log printout of what's happening:

09:22:28,173 INFO [STDOUT] logoutSession get principal
09:22:28,173 INFO [STDOUT] logoutSession principal: testuser
09:22:28,173 INFO [STDOUT] JSESSIONIDSSO is removed, redirecting to Welcome page.
09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals before flush: [testuser]
09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals after flush: []
09:22:28,183 INFO [STDOUT] SMWelcomeForm constructor end
09:22:28,203 INFO [Engine] SingleSignOn[localhost]: Process request for '/Welcome.faces'
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for SSO cookie
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for cached principal for F34A9CDB06E28C1717F229131FC4FAC3
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Found cached principal 'testuser' with auth type 'FORM'
09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Associate sso id F34A9CDB06E28C1717F229131FC4FAC3 with session StandardSession[4A91ACBA9C484E245E1817D9E0385260]

So the jboss authentication cache flush seems to work correctly but the SingleSignonValve still allows login without re-authentication.
How can the re-authentication be forced with SSO enabled?

Regards,
Mika Koskinen
Actions
4. Re: flushing cache on session timeout!

jaco.boon Dec 7, 2005 10:41 AM (in response to belal)

I have the same problem when using SSO with JBoss 3.2.5. I flush the JAAS cache programatic. Without using SSO this works fine. When I enable SSO the cache still gets flushed however, the user isn't re-authenticated. Has anyone got a solution to this problem?

Kind regards,
Jaco
Actions
5. Re: flushing cache on session timeout!

brian.stansberry Dec 8, 2005 6:19 PM (in response to belal)

If you add the attribute 'requireReauthentication="true"' to the SingleSignOn valvel element in server.xml, all requests will be passed to the security Realm for authentication. If the security manager's cache has been flushed, the authentication request will come through to your login module.

A timeout of a session will not invalidate the SSO (unless it was the only session associated with the SSO), so the user will not be asked for their credentials. The credentials cached in the SSO will be used. But the request will go to your login module.
Actions

Go to original post