SRP cache problem?
nicut Mar 20, 2003 10:38 AMHello, all
I`m using the SRP login module with a DatabaseVerifierStore.
It`s working just fine on my first login, but on the second login, after I did a logout or not,
I have some problems.
I tested my login module on Jboss 3.0.6 and 3.2.0 but the problem seems to be the same.
Here are some logs from my JBoss 3.0.6 log file for the case when I don`t perform a logout:
On my first login :
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}
On the second login:
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
...
2003-03-20 15:37:17,542 DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
javax.security.auth.login.LoginException: Failed to validate SRP session key for: {username=nicut, sessionID=0}
at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:131)
...
ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=nicut
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)
I don`t know why JBoss validates the session key for {username=nicut, sessionID=0} when actually my current session key
is {username=nicut, sessionID=1}.
Here are some logs from my JBoss 3.0.6 log file for the case when I do perform a logout:
On my first login:
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}
On the second login:
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
...
DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
javax.security.auth.login.LoginException: No SRP session found for: {username=nicut, sessionID=0}
at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:121)
...
ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=nicut
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)
On this case JBoss looks for the session {username=nicut, sessionID=0} when the current session key is
{username=nicut, sessionID=1}.
If it is a known problem, or if I did something wrong please let me know.
I do have one idea why this happens but I`m not 100% sure:
JBoss caches the authenticated user as a SimplePrincipal instead of a SRPPrincipal so then when it is looking
for the current session the JBoss 3.0.6 (SRPCacheLoginModule.java: line 109) do this:
if( userPrincipal instanceof SRPPrincipal )
{
SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
key = new SRPSessionKey(username, srpPrincpal.getSessionID());
}
else
{
key = new SRPSessionKey(username); // the computed key for this is {username=username, sessionID=0}
}
Actually I verified this. In all my cases the userPrincipal is an org.jboss.security.SimplePrincipal object.
Any idea will be appreciated.