4 Replies Latest reply on Sep 5, 2005 5:00 AM by c-ackerman

Multiple logins cause SRP sessions to accummulate in SRPRemo

c-ackerman Aug 25, 2005 9:14 AM

I am using the JBoss SRP implementation with multiple sessions per user in JBoss 4.0.2. I see (in the code) that SRPSession objects are never removed from the private sessionMap collection inside the SRPRemoteServer class.
I think this will cause the sessionMap to keep on growing as each new mapping that is added has a new key (made from username and a unique session id).
It looks like the SRPSession can be removed from the sessionMap after handshaking is completed, i.e. in the verify method (whether verify succeeds or not).
This will still leave behind entries for which the client never attempted to complete handshaking (verify never called). Maybe a timeout mechanism can work, with a scavenger thread to remove invalid entries - just a suggestion!

1. Re: Multiple logins cause SRP sessions to accummulate in SRP

starksm64 Aug 28, 2005 12:19 PM (in response to c-ackerman)

The close should be removing the session.
http://jira.jboss.com/jira/browse/JBAS-2179
Actions
2. Re: Multiple logins cause SRP sessions to accummulate in SRP

c-ackerman Aug 29, 2005 4:10 AM (in response to c-ackerman)

There is a similar problem in using the TimedCachePolicy as the credential cache in the JaasSecurityManager when using SRP. The TimedCachePolicy only removes entries when an existing entry is replaced by a new one for the same Principal, but the SRPPrincipal object will differ every time because of the sessionID. Hence expired credentials will remain behind in the cache indefinitely.
Actions
3. Re: Multiple logins cause SRP sessions to accummulate in SRP

starksm64 Sep 4, 2005 12:46 PM (in response to c-ackerman)

The JaasSecurityManagerService would need a flushExpired(String domain) op to clear the sessions, or an alternate SRPServerListener implementation that flushed the principal on the closedUserSession(SRPSessionKey) event.
Actions
4. Re: Multiple logins cause SRP sessions to accummulate in SRP

c-ackerman Sep 5, 2005 5:00 AM (in response to c-ackerman)

Scott
Thanks for the replies. I'm probably a bit paranoid about "close" not being guaranteed to always happen for sessions in general, so I made an extended TimedCachePolicy class that regularly removes expired sessions in its TimerTask. Of course this requires synchronization with threads that insert and get entries, so it will slow the cache down somewhat.
That's all from me on this subject for now. Just want to let you know that I enjoy working with JBoss and I find the code easy to work with. Thanks for a great product.
Regards
Charlotte
Actions

Go to original post