4 Replies Latest reply on Feb 26, 2004 4:12 PM by martin0

    "caching" subjects/principals on the server side

    eddie07

      I set up JAAs and it works fine with one exception.
      Each time my client is calling a method of a session bean the complete security code for authentication/authorization is executed again. This is very cpu-intensive because of the involved database queries (I am using an own module derived from AbstractServerLoginModule).
      Isn't there a way for the application server to find out that this client has already been authorized and roles assigned? This information doesn't seem to be sent back to the client (is it possible to do this?) and the server is not able to "map" the client to a subject. Or am I doing something wrong?

      Thanks for your help,
      Eddie

        • 1. Re: "caching" subjects/principals on the server side

          There's an authentication cache in the default distribution already.

          -- Juha

          • 2. Re: "caching" subjects/principals on the server side
            eddie07

            Thanks for your answer.

            > There's an authentication cache in the default
            > distribution already.

            I know this, and I am using the default cache. When I am examining it with jmx-console I can see that my principal is stored - and it is used as long as one request from the client is executed, e.g. if a session bean calls other beans.
            But as soon as the client is doing the next request (without calling login again), my ServerLoginModul is doing everything again.

            How should jboss recognize that the client is already authenticated?

            Eddie

            PS: To get a better understanding I tried to use example 8 of the jboss book, but I couldn't compile it because I couldn't find ServiceMBeanSupport in any of the jar files. Where can I find this class file? I am using jboss-3.2.1

            • 3. Re: "caching" subjects/principals on the server side
              ebdr

              Hi I am not sure if this will fix your problem. I had a similar problem where an authenticated user was not recognized properly by the server. In order to overcome this problem, I stored the LoginContext, with which the user was logged in, in the user's session and had a servlet filter call the LoginContext::login() method at each request.

              -Eric

              • 4. Re:
                martin0

                Eric,

                That's sounds interesting - can you elaborate?

                Thanks
                Martin