1 2 Previous Next 17 Replies Latest reply on Dec 21, 2005 8:55 AM by nigelwhite Go to original post
      • 15. Re: Multi Credential Authentication
        elponderador
        elponderador Dec 20, 2005 10:22 AM (in response to elponderador)

         

        "NigelWhite" wrote:
        That doesn't work.

        I have debug statements in my LoginModule's logout() method, and they are not being executed.


        Well, it will only happen on the first request. The following requests they are just semi-authenticated (credential caching compared to provided data) and never hit the LoginModule, unless you have modified your caching settings. In this way authentication happens really only once per successful authentication.

        From there, the real issue is authorization. At least that has been my experience with jboss 4.0.3 and my understanding of the related documentation.

          • Actions
        • 16. Re: Multi Credential Authentication
          nigelwhite
          nigelwhite Dec 20, 2005 10:45 AM (in response to elponderador)

          You're saying it should call login() and then immediately logout() on the first HTTP request??????????

          That would be bizarre. I want to log out when then hit the logout link.

          Anyway, it's not diong that - it's never getting into my LoginModule's logout() method.

          The login() is being called fine, and I'm connecting to the backend server, caching the connection in the session, and the webapp then uses that.

          When they hit the logout link though, it does a session.invalidate(), and no logout() is called, and the connection to the backend server stays open, and consumes a licence seat (It's HORRIBLE legacy stuff, and that's how they're clinging to viability - licencing!)

          Now I could do the processing myself, but what if there were more login modules stacked up (as they may well be with JAAS authentication). It may be that more logout() methods in other modules may need to be called.

          The container must have some way of doing this! We need access to the LoginContext used by the container at authentication time!

            • Actions
          • 17. Re: Multi Credential Authentication
            nigelwhite
            nigelwhite Dec 21, 2005 8:55 AM (in response to elponderador)

            Well, thanks a bunch JBoss gurus! (Not you elponderador, the developers who should know this, and should have helped!)

            After much searching, I randomly stumbled across the correct incantation:

            in jboss-web.xml

            <jboss-web>
 <!-- Specify the security domain for authentication/authorization and
 require that the domain's cache be flushed when the session invalidates.
 -->
 <security-domain flushOnSessionInvalidation="true">
 java:/jaas/jbossweb-form-auth
 </security-domain>
</jboss-web>


            So now, I can log out when they click the logout link.

            Great.

            Next up, how to programatically determine whether a URL is available to the current user.

            I'm of course using container-managed authorization, but it's no good outputting a link only to have the user click on it, and be tipped into the error page by JBoss. I want to have a custom tag for links which does not output any HTML if the URL is not accessible to the current user.

            Any ideas?

            No doubt, I'll find the incantation at some random site given enough searching...

              • Actions
            1 2 Previous Next