2 Replies Latest reply on Mar 22, 2006 4:13 AM by Anil Saldanha

    How to prevent multiple authentications in same thread

    Himadri Saha Newbie

      I have a scenario where i have protected my web application and the EJBs. I have used the same security domain to protect them.

      It works fine, but the problem is that when the Servlets invokes one EJB/multiple EJBs, results in multiple authentication request due to each layer.

      Is there any way you can suggest to ensure that authentication of a Principal happens only once.

      I am using JBoss 4.0.2 with integrated Tomcat.


        • 1. Re: How to prevent multiple authentications in same thread
          chris griffith Expert


          What should happen (if your web app is session based) is the user is authenticated once in your servlet container. This should occur when user attempts to access a secured url the first time. After this first authentication, the user should not have to authenticate to the servlet container again. As long as the session is the same.

          In the EJB container, every request to access a secured EJB must be authenticated. But, the first time a request is authenticated in a JBoss security domain, the username and credential is cached. Then next (and subsequent) request from same principal (i.e. username) are checked to see if credential matchs the cached credential.

          Thus you should have one JAAS login for your servlet container, and one JAAS login for your EJB container. Any more, indicates yoy may have something configured incorrectly. Unless, of course, that is what you want.

          hope this helps, cgriffith

          • 2. Re: How to prevent multiple authentications in same thread
            Anil Saldanha Master

            Since the web and the ejb layers are bound by the same security domain. subsequent auth requests(for the ejb calls) after the first successful auth to the web layer, go thru the cache that exists in the JaasSecurityManager. This is normal behavior. You will see auth requests going out to the JaasSecurityManagerService(Is this what you are concerned about?)

            Every request on the serverside goes thru security. Thats the reason we have a timed cache for performance.