You _have_ to solve this in the web layer. Trying to solve it in the login module is doomed to fail, because a jaas login is something completely different from a client login. In an EJB container/server, there is no notion of a user session. When a call on an EJB is made, the user is not logging in: his credentials are checked. Because of JBoss' security manager caching policy, the user login happens to lead to just one call of the login module, but this is - in a way - just coincidence. Trying to count the logins in the login module will leave you with undeterministic behaviour an ejb calls failing because of missing security context.
So you somehow have to hook into the web login. I think a possible solution would be to redirect the submit of the login form to a custom servlet that checks the not-login-twice property and then forwards to the standard (jetty) login url...
Hi and thank you for your answer.
After my post I digged in the LoginModule code of JBoss and effectively I arrived to the same conclusion. So we have implemented it in the web application layer.
But it raises a new question. Imagine that you want to implement the following login policy :
If a user try to log 3 times with the same userAccount but a Bad Password, the userAccount is deactivated temporarily. It is one of our long term requirement, but since the very beggining of the project I was thinking of implementing it in the LoginModule, as for the single signed on ;-)
Now I think there is no way to implement this policy in the web application, because it is not aware of loggin failure...
What do you think would be the best way to implement it.