2 Replies Latest reply on Apr 23, 2004 1:22 PM by meera13

    SRPCacheLoginModule using wrong sessionID for 2nd login

    meera13 Newbie

      We are using a login stack that includes :
      <application-policy name = "srpssl-ex">

      <login-module code = "org.jboss.security.srp.jaas.SRPCacheLoginModule"
      flag = "required">
      <module-option name = "cacheJndiName">srp-test/AuthenticationCache</module-option>
      </login-module>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name="dsJndiName">java:/DefaultDS</module-option>
      <module-option name ="password-stacking">useFirstPass</module-option>
      <module-option name ="principalsQuery">Select pswd from Principals where principalid = ?</module-option>
      <module-option name ="rolesQuery">Select role,rolegroup from Roles where principalid = ?</module-option>
      <module-option name ="unauthenticatedIdentity">guest</module-option>
      </login-module>

      1. The first login goes through SRP but does not call the second login module (DatabaseServerLoginModule).
      2. A second login does not make it through the SRPCacheLoginModule since the login() method does the following:

      SRPSessionKey key;
      if( userPrincipal instanceof SRPPrincipal )
      {
      SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
      key = new SRPSessionKey(username, srpPrincpal.getSessionID());
      }
      else
      {
      key = new SRPSessionKey(username);
      }
      Object cacheCredential = cache.get(key);

      The userPrincipal is not an instance of SRPPrincipal to key is set to
      new SRPSessionKey(username) which generates a default session id of 0 -- the same as the one used by the first user login. This result in a bad cache lookup in cache.get(key).

      What is going on???