4 Replies Latest reply on Dec 29, 2005 10:33 AM by Luigi Putanesca

    SecurityAssociation principal not cleared after client login

    Luigi Putanesca Newbie

      Hi: I'm using JBoss 4.0.3 with EJB3. I have a standalone client that accesses the server and uses the ClientLoginModule to login.

      After the client process ends, the SecurityAssociation principal and credential remain set in the thread in the server. This allows another client to have access on the same thread without providing credentials.

      I've tried setting 'restore-login-identity' to true and false and the same for 'multi-threaded' and this has no effect.

      How can I get the SecurityAssociation to clear on the server after the client disconnects? Below is my client login code and auth.conf:

       static LoginContext lc;
       static {
       CallbackHandler handler = new MyCallbackHandler("admin", "admin");
       try {
       lc = new LoginContext("client-login", handler);
       catch (LoginException e) {
       static class MyCallbackHandler implements CallbackHandler {
       private String username;
       private String password;
       public MyCallbackHandler(String username, String password) {
       this.username = username;
       this.password = password;
       public void handle(Callback[] callbacks)
       throws IOException, UnsupportedCallbackException {
       for (int i = 0; i < callbacks.length; i++) {
       if (callbacks instanceof NameCallback) {
       NameCallback ncb = (NameCallback) callbacks;
       else if (callbacks instanceof PasswordCallback) {
       PasswordCallback pcb = (PasswordCallback) callbacks;
       else {
       throw new UnsupportedCallbackException
       (callbacks, "Unrecognized Callback");

      client-login {
       org.jboss.security.ClientLoginModule required