5 Replies Latest reply on Dec 8, 2005 6:19 PM by Brian Stansberry

    flushing cache on session timeout!

    Belal Juma Newbie

      Hi,

      How can I flush the JAAS authentication cache upon session timeout in JBOSS 4.0.1?

      I tried what is there in this link, but it doesn't work!!!

      http://www.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

      Any help please!



        • 1. Re: flushing cache on session timeout!
          Scott Stark Master

          The link works fine for me.

          • 2. Re: flushing cache on session timeout!
            Belal Juma Newbie

            The web.xml has:
            ..
            <session-config>
            <session-timeout>1</session-timeout>
            </session-config>
            ..

            The jboss-web.xml looks like:
            <jboss-web>
            <security-domain flushOnSessionInvalidation="true">
            java:/jaas/TatSecurityDomain
            </security-domain>
            </jboss-web>

            when I wanted to access any page after 1 minute of the 1st login, I requested to fill the login info. again.

            but when I logged in again, my login module wasn't executed at all, jboss authenticated me based on its cache!

            did I miss any thing! or is there any thing wrong in above configs!
            please advise!

            • 3. Re: flushing cache on session timeout!
              Mika Koskinen Newbie

              I'm having similar problems with JBoss 3.2.6 when I'm trying to logout
              a user. I have Tomcat SSO enabled. Here's a log printout of what's happening:

              09:22:28,173 INFO [STDOUT] logoutSession get principal
              09:22:28,173 INFO [STDOUT] logoutSession principal: testuser
              09:22:28,173 INFO [STDOUT] JSESSIONIDSSO is removed, redirecting to Welcome page.
              09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals before flush: [testuser]
              09:22:28,183 INFO [STDOUT] getAuthenticationCachePrincipals after flush: []
              09:22:28,183 INFO [STDOUT] SMWelcomeForm constructor end
              09:22:28,203 INFO [Engine] SingleSignOn[localhost]: Process request for '/Welcome.faces'
              09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for SSO cookie
              09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Checking for cached principal for F34A9CDB06E28C1717F229131FC4FAC3
              09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Found cached principal 'testuser' with auth type 'FORM'
              09:22:28,213 INFO [Engine] SingleSignOn[localhost]: Associate sso id F34A9CDB06E28C1717F229131FC4FAC3 with session StandardSession[4A91ACBA9C484E245E1817D9E0385260]


              So the jboss authentication cache flush seems to work correctly but the SingleSignonValve still allows login without re-authentication.
              How can the re-authentication be forced with SSO enabled?

              Regards,
              Mika Koskinen

              • 4. Re: flushing cache on session timeout!
                Jaco Boon Newbie

                I have the same problem when using SSO with JBoss 3.2.5. I flush the JAAS cache programatic. Without using SSO this works fine. When I enable SSO the cache still gets flushed however, the user isn't re-authenticated. Has anyone got a solution to this problem?

                Kind regards,
                Jaco

                • 5. Re: flushing cache on session timeout!
                  Brian Stansberry Master

                  If you add the attribute 'requireReauthentication="true"' to the SingleSignOn valvel element in server.xml, all requests will be passed to the security Realm for authentication. If the security manager's cache has been flushed, the authentication request will come through to your login module.

                  A timeout of a session will not invalidate the SSO (unless it was the only session associated with the SSO), so the user will not be asked for their credentials. The credentials cached in the SSO will be used. But the request will go to your login module.