5 Replies Latest reply on Apr 7, 2016 5:11 AM by valsaraj viswanathan

    Duplicate login module call

    Michael Jank Newbie



      I am noticing a strange behaviour for a webapplication on wildfly CR1 concerning the call of the login module and caching the authenticated principal when using form authentication.

      The login module extends the AbstractServerLoginModule and I am using the MyPrincipal class implementing Principal interface.


      The login module is called twice, because the FormAuthenticationMechanism calls the verify(String id, Credential credential) method of the JAASIdentityManagerImpl, which creates an AccountImpl having AccountPrincipal as its principal. After successful authentication the account seems to be stored in the session being updated by having MyPrincipal as its principal, but in the domain cache of the JBossCachedAuthenticationManager the account is stored with AccountPrincipal. This is for the first http call.

      The second http call is authenticated again via the login module, because the MyPrincipal class is already taken from the session, but cannot yet be found in the domain cache. After the second successful login I have two principals for one user in the domain cache, one MyPrincipal and one AccountPrincipal.

      Afterwards no more calls to the login module happen.


      The security domain is configured by:

                  <security-domain name="myjaas" cache-type="default">
                          <login-module code="MyLoginModule" flag="required" module="my.package">
                              <module-option name="principalClass" value="MyPrincipal"/>


      Did I miss some configuration for wildfly, or has the login module/principal logic be done in another way with CR1? I did not test this on Beta1 or Alpha releases.


      Thanks for any help,