1 Reply Latest reply on May 26, 2004 9:50 PM by Scott Stark

    LoginModule order

    Ken Helmes Newbie

      Hello all,

      Jboss 3.2.3 / Windows2000

      I will try this post again, since it is pretty urgent:
      The order of login modules is as below
      1) AdbLoginModule sufficient
      2) BdbLoginModule sufficient

      Phase I:
      AdbLoginModule.login() returns false
      BdbLoginModule.login() returns true
      Phase II:
      AdbLoginModule.commit() - called - why is this called when login() failed?
      According to my understanding of the specs, the only LoginContext commit() methods called are for those LoginModules that return true.

      <application-policy name = "status">

      <login-module code = "AdbLoginModule"
      flag = "sufficient">
      <module-option name = "datasource">ds/ePool</module-option>
      </login-module>
      <login-module code = "BdbLoginModule"
      flag = "sufficient">
      <module-option name = "datasource">ds/security</module-option>
      </login-module>

      </application-policy>

      Thanks,
      kenh

        • 1. Re: LoginModule order
          Scott Stark Master

          The javadocs for the javax.security.auth.spi.LoginModule.commit method clearly state the method is called when the overall login succeeds and that the login module needs to cleanup any state if it failed locally:

          public boolean commit() throws LoginException
          This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

          If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.