2 Replies Latest reply on May 30, 2006 8:56 AM by kuzmiigo

Checking additional cached login credentials

kuzmiigo May 29, 2006 2:51 PM

Hello!

My LoginModule checks if the certificate in HttpRequest is correct for given username (in login()) and adds that certificate to subject's public credentials (in commit()).

The problem is that after the successful login (form authentication) the subject is cached, and that user can login from any computer without corresponding certificate, as only his newly entered password is compared to the cached password, but certificate is not checked.

Is it possible to compare certificates as well? More common case: is it possible to check all the credentials of the cached subject?

Thank you,

Igor

1. Re: Checking additional cached login credentials

j2ee_junkie May 30, 2006 8:43 AM (in response to kuzmiigo)

Igor,

From what I think I know, if you set your auth-method (in web.xml) to CLIENT_CERT, then the certificate should be the credential (i.e. password). So I would expect a check to see if user has authenticated against the authentication cache would result in the certificates being compared. Is this not what is happening for you? If you are using CLIENT_CERT, what password are you referring to?

cgriffith
Actions
2. Re: Checking additional cached login credentials

kuzmiigo May 30, 2006 8:56 AM (in response to kuzmiigo)

Thank you!

I guess if I change auth-method from FORM to CLIENT_CERT, then user is not presented the login form to enter name and password.

Current login requirements are: user enters name and password (checked by one LoginModule), and then the certificate in HttpRequest is checked if it is registered for this user (by other LoginModule). Certificate added as a credential to the subject by the second LoginModule. If I could somehow mark this credential as "check needed always" (as with password)...

Igor
Actions

Go to original post