I have implemented a class that extends the UsernamePasswordLoginModule to allow authentication against our own system. It also provides authorisation by returning a group (with the name "Roles") from the getRoleSets method, which contains dynamically queried roles. This allows us to set up web applications using the realm based authentication, defining the roles in the web.xml file as the ones returned in the "Roles" object. However I notice that if I deny access to a role after a user has logged in once, the user still has access (unless I re start the JBoss server). It seems the server is caching the information for the login. I implemented something similar a while ago for a standalone Tomcat server (subclassing the RealmBase class) which seemed to check the roles each time the user logged in and assumed this would behave in a similar fashion.
currently, the set up I have:
Standard JBoss 3.2.3 download.
Server/default/lib has a jar file placed in it containing the implementation of the UsernamePasswordLoginModule subclass.
Server/default/conf/login-config.xml has an element added to the client-login <application-policy> element to define my new class.
The web application contains a jboss-web.xml file defining the <security-domain> element for client-login
The web application web.xml file defines <security-constraint>,<logon-config> and <secutity-role> elements to set up the restrictions based on the named roles.
Does anyone have experience of this sort of issue? Have I perhaps not correctly understood the security and am implementing this in the wrong way, or could it be a setting that I have missed somewhere?
Any help much appreciated.
The realm delegates to a security manager that uses a timed cache by default. See the security chapter in the admin/devl guide for details on configuring, flushing, etc: