I'm working on a rich client J2EE application based on JBoss 3.2.1. For authentication, I use JAAS. On the client side, the JAAS config denotes the ClientLoginModule shipped by JBoss. On the server side, I use the DatabaseServerLoginModule, which gathers the username and password from the default database. As it works for most of the time, the following strange thing happens:
1. Login on the client side. The ClientLoginModule stores the credentials in the SecurityAssociation.
2. On the first remote method call (e.g. get the home interface of an EJB), the client sends the credentials stored in the SecurityAssociation along with the method request to the SecurityInterceptor on the server side. This interceptor uses the JAASSecurityManager and the login modules configured to authenticate the user. In this case, this is done using the DatabaseServerLoginModule. If everything wroks fine, the method is invoked.
3. After this, I change the user password in the database (using a user administration feature within my application). Thereon, I log out. This sets the credentials in the SecurityAssociation to null. If I would call a remote method again, this won't work since the credentials are not ok, as expected.
4. If I login again, I'm able to login again with the old password that was changed before logging out. The server does not complain and invokes the method. I'm able to log out and login again with the out-of-date credentials till I login once with the new password. Upon this, the old pasword does no longer work.
Obviously, this is not the way we expect the seucrity to work. After investigating the security mechanism of JBoss quite some time, I built up the following hypothese:
The credentials gathered by the ClientLoginModule and stored in the SecurityAssociation are sent to the server side on each remote method invocation. But the mechanism on the server side authenticates the user only when it gets a new combination of username and password which differs from the one it got with the last remote call. Only then, it uses the DatabaseServerLoginModule in order to authenticate the user. This is what I was able to assert by debug outputs of the server side login module. When logging out, the credentials are only nulled on the client side, but this fact is not propagated to the server side if no additional remote method call occurs. When the user logs in again with the same, potentially out-of-date credentials in the meantime, the server recieves the same username and password combination and does not authenticate the user again. This leads to a situation, where one single user is able to log in using to different passwords, as described above.
In my eyes, the server should be instructed about the fact that a user has logged out, or, should re-authenticate the user each time it gets a remote method call request along with the username and password. Since this may happen quite often, it may hurt the performance significantly, depending on the authentication mechanism used.
That's what I saw during my investigations, is anything of this completely wrong? How could this issue be solved?
Thanks a lot for your comments & hints.