3 Replies Latest reply on Jan 6, 2016 3:46 AM by Sony Abraham

    Multiple logins under same user id in Wildfly 9.0.2 uses same subject

    Sony Abraham Newbie



      I am trying to port our existing application (in weblogic) to Jboss wildfly.


      Our application supports multiple logins under same user id but each logins need to be treated in different security context. For this we invoke the login modules by invoking j_security_check for each logins attempts. We use a custome Jaas login module from where the subject is created with a unique user token and set as name of the Principal after successful login. But when using wildfly, the login module is invoked only the first time and for the subsequent login attempts, the user subject is looked up from the domain cache inside JBossCachedAuthenticationManager.


      Further debugging into the issue i noticed below

      1. After jaas login completes, the org.wildfly.extension.undertow.security.AccountImpl in exchange of ServletRequest gets updated with the new Principal (token set during jaas login) and the OriginalPrincipal remains the same as the user id. This is fine  as expected (I hope).

      2. org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(final AccountImpl account, final Object credential) uses the OriginalPrincipal to send to authenticationManager for validation. Since this is not updated, it will always be the original user id.  I think this should be the principal (not the OriginalPrincipal).

      3. org.jboss.security.authentication.JBossCachedAuthenticationManager caches the subject info against the OriginalPrincipal. Therefor it always returns from the cache after the first successful authentication for a user id and JAAS login module is never invoked after that. Shouldn't the caching happen against the authenticated principal set in the subject (CallerPrincipal).


      Can anyone please let me know whether this behavior change is possible ? Or is there any way I can configure custom class for org.wildfly.extension.undertow.security.JAASIdentityManagerImpl and org.jboss.security.authentication.JBossCachedAuthenticationManager in wildfly 9.0.2.