1 Reply Latest reply on Mar 26, 2002 9:37 PM by Brian Coyner

    SRP Login

    Brian Coyner Newbie

      Is there a hidden trick to logging in using the SRP Login Modules? Here's the scenario...

      1.) Invoke a Unit Test.

      2.) Create a new user name and password in the SRPVerifierStore. (Successful)

      3.) Create an instance of of a LoginContext, which points to the org.jboss.security.srp.jaas.SRPLoginModule and the org.jboss.security.ClientLoginModule and call login() using the newly created user's information. (Successful)

      4.) Create and invoke numerous secured EJBs. (Successful).

      5.) Logout (Successful).

      6.) Unit Test Ends

      7.) Invoke different test that does not create the user we created in first Unit Test. This test is in a different VM instance.

      8.) Create a LoginContext and try to login with the User's username and password. (FAILED) JBoss says that the password is invalid.

      So here is what I think is happening...

      Any secured action while still in the VM that makes the initial login and creates the initial VerifierInfo private credential is valid, but once the VM dies and a new one is started the SRPLoginModule classes do not regenerate the credential needed. Is this a feature, a bug, or am I just writing bad unit tests? I would also assume that when a user logs out that their information in the SRP cache would be removed, thus causing a new private credential to be generated the next time they log in. Is this correct?

      Any thoughts?

      Brian

        • 1. Re: SRP Login
          Brian Coyner Newbie

          This is an update to my original post...

          It seems as though the login process is working, if and only if I do the following.

          1.) Take out the calls to my secured EJBs.
          2.) Only have the SRPCacheLoginModule be called on the server side. I used to have the DatabaseServerLoginModule configured to retrieve Role/Group information and ignore the password retrieval using the 'password-stacking="useFirstPass"' attribute.

          So what now looks like is happening is that somehow the DatabaseServerLoginModule is trying to validate the password, which will fail, because it's not in the database. I will keep digging and once I have found an acceptable solution I will post my results. Feel free though to lend any assistance.

          Brian