7 Replies Latest reply on Apr 26, 2007 11:59 PM by kwstasm

    JBoss authentication cache problem

    kwstasm

      Hi

      I am a newbie in Web application security and I am having a problem that tortures me for many days.
      I have created a custom server login module to provide security to my web application. In order to do that I have extended the AbstractServerLoginModule class.

      The problem I am facing is the following:
      When I first open an IE window my custom module's login method gets called, and I login fine.

      When I open a second IE window though, and try to login, the login method of the module does not get called.
      As far as I read from wiki's-books-forums, jboss caches the principal and the credentials. That is probably the reason why the login method.
      I might be wrong but I think the default cache policy of jboss is one with a timeout.
      I have tried many ways to try to override this behaviour so whenever I open a new window the login method gets called and the user is authenticated from scratch. Among them is trying to programmatically flush the credential cache, set the flushOnSessionInvalidation attribute to true in the jboss-web.xml and more.
      I don't want to set the DefaultCacheTimeout to 0 in the security-service.xml file and force the login to happen constantly.
      What I just want to do is, whenever a user opens a new browser window or tries to remote from a remote machine the login authentication is forced and not surpassed with the cached credentials.

      I would appreciate any help on that.
      Thanks in advancce.