3 Replies Latest reply on Aug 29, 2008 8:51 AM by erasmomarciano

How to flush the old password

oldreaper Aug 28, 2008 3:26 PM

I use DatabaseServerLoginModule for jboss authentication web application supported by MySQL. The function is working.

But there is a problem when a user changes password. The old password is cached and the new password will not work if I close the browser and login again. I try to delete the cookies, local internet data whatever, it won't work. If I restart Jboss server, the new password takes effect.

So, please let me know how can I change the behavior of security manager or loginmodule that they don't cache any password.

I also find this thread with similar issue, but unfortunately no answer
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=128691

The new password is supposed taking effect after the next login, but it actually does not. This is a serious negative behavior issue because it is quite normal that a user change his/her password. Many systems even force user to change password frequently.

1. Re: How to flush the old password

ragavgomatam Aug 28, 2008 10:29 PM (in response to oldreaper)

Do a HttpSession.invalidate() to enable jboss clear the cached Principal & then ask the user to re-login with new credentials
Actions
2. Re: How to flush the old password

oldreaper Aug 29, 2008 7:36 AM (in response to oldreaper)

Although this is a solution, but caching private credentials seems not appropriate. The JAAS specification does not enforce not caching private credentials, but it argues that it is better to clean the private credentials. So, the developer should have a chance to specify such a behavior when the application is configured, but not programmaticly.
Actions
3. Re: How to flush the old password

erasmomarciano Aug 29, 2008 8:51 AM (in response to oldreaper)

Try to

You have to edit the conf/jboss-service.xml and set attribute DefaultCacheTimeout to 0

0

bye bye Erasmo Emilio
Actions

Go to original post