2 Replies Latest reply on May 30, 2006 8:56 AM by Igor Kuzmitshov

    Checking additional cached login credentials

    Igor Kuzmitshov Newbie

      Hello!

      My LoginModule checks if the certificate in HttpRequest is correct for given username (in login()) and adds that certificate to subject's public credentials (in commit()).

      The problem is that after the successful login (form authentication) the subject is cached, and that user can login from any computer without corresponding certificate, as only his newly entered password is compared to the cached password, but certificate is not checked.

      Is it possible to compare certificates as well? More common case: is it possible to check all the credentials of the cached subject?

      Thank you,

      Igor

        • 1. Re: Checking additional cached login credentials
          chris griffith Expert

          Igor,

          From what I think I know, if you set your auth-method (in web.xml) to CLIENT_CERT, then the certificate should be the credential (i.e. password). So I would expect a check to see if user has authenticated against the authentication cache would result in the certificates being compared. Is this not what is happening for you? If you are using CLIENT_CERT, what password are you referring to?

          cgriffith

          • 2. Re: Checking additional cached login credentials
            Igor Kuzmitshov Newbie

            Thank you!

            I guess if I change auth-method from FORM to CLIENT_CERT, then user is not presented the login form to enter name and password.

            Current login requirements are: user enters name and password (checked by one LoginModule), and then the certificate in HttpRequest is checked if it is registered for this user (by other LoginModule). Certificate added as a credential to the subject by the second LoginModule. If I could somehow mark this credential as "check needed always" (as with password)...

            Igor