Principal sharing
tcherel May 4, 2005 7:45 PM
My initial experiment with JBoss seems to suggest that the principal object
returned by EJBContext.getCallerPrincipal is shared between all the EJB clients that have been authenticated with the same user id and password and that as long as JBoss is caching the authentication information (default timed cache of JaasSecurityManager, I suppose), the server authentication process (going through the stack of server JAAS login modules) is not executed again (when authentication information matches a cached one).
This is causing me a few concerns:
1) I would expect that two physical users, authenticating from two different machines using the same user name and password will lead to two complete authentication (going through the server JAAS login modules). Agree, it might not make sense in all cases, but it just seems "weird" to me that a real authentication is not always performed in such case.
2) Without even going that far, the same user stopping and restarting his application and authenticating again might not go through the server configured JAAS login modules again if its authentication information is cached. So, for example, let's say that the user role memberships are changed, he cannot simply logout/login to take the changes into account, he has to wait for the cached authentication information to expire.
I guess, what I am really looking for is a way to make sure that each time a client is calling loginContext.login(), the server will go through all the configured JAAS login modules to perform a full authentication. After that, as long as the client is working under the same security context (no call to login again), I have no problem (of course) with the fact that authentication is not performed for each EJB call.
I also would like that Principal objects returned by EJBContext.getCallerPrincipal are not shared between clients using the same user name and password. Basically I'd like a new principal object for every call to loginContext.login().
I am not certain of the best way to do that.
Should I create my own client login module that will generate some kind of unique number used as par of the credential to make each login unique?
Do I need to implement my own authentication cache for the JaasSecurityManager?
Do I need to go as far as creating my own security interceptors?
Any pointers will help.
Thanks.