I'm having a rather odd and difficult problem, so please forgive me if the following is not understandable.
We have a custom login module which works as follows:
When a user logs in, the module goes to an external server and retrieves a ticket. This ticket is now set as this users credential, and once a user has a ticket it is this ticket which our login module uses for authentication. Everything works fine until this user logs out and logs back in. Upon logging in again, he receives a new ticket which becomes his new credential.
If this user then tries to call an EJB, The JaasSecurityManager attempts to validate this user against it's cache (I'm using the default TimedCachePolicy) but it finds that the credential does not match what it has cached and so removes it from the DomainInfo cache, destroys it, and adds it back to the cache. The process of destroying it uses LoginContext.logout() which goes through the entire JAAS stack and calls our custom logout so now the currently active principal is Null and the EJB call will fail as there is no principal and therefore no group.
Once this initial EJB call fails, all subsequent calls are OK as the DomainInfo cache is up to date.
My question is: Why does the DomainInfo object call the LoginContext.logout() when it destroys itself? Is there a way for me to remove the DomainInfo object from the JaasSecurityManager cache when I do the logout (when I look through the code, I don't think so...)?
Once again, I apologize if this post is unintelligible. We seem to have an extremely complex Authentication system and now that I'm trying to work it into the JAAS framework, I'm in a little bit over my head.
Logout is called when the cache entry is dropped so that the LoginModule which populated the associated Subject can to cleanup or tracking or whatever. There is no other mechanism that triggers a LoginModule logout on the server side.
If you want access to the cache, supply your own cache implementation.