1 Reply Latest reply on Jul 14, 2006 11:48 AM by jaikiran pai

    Credential caching question

    Eric Ray Novice

      Hi guys,

      I'm have a problem that I'm unable to solve regarding credentials caching. I have an ldap user that can authenticate with ldap but is not authorized to use the application. I want to let the user know that they have authenticated but failed authorization and to trying logging in with another username and password that has authorization. The problem is that the credentials are cached and I cannot get JBoss to serve the login page again.

      I'm using form based authentication with the j_security_check action combined with the LdapLoginModule for jboss. Here's what my security-service.xml looks like.

       <!-- JAAS security manager and realm mapping -->
       <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
       <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
       <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
       <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
       in seconds.
       If you want to disable caching of security credentials, set this to 0 to
       force authentication to occur every time. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       <attribute name="DefaultCacheTimeout">0</attribute>
       <!-- DefaultCacheResolution: Specifies the default timed cache policy
       resolution in seconds. This controls the interval at which the cache
       current timestamp is updated and should be less than the DefaultCacheTimeout
       in order for the timeout to be meaningful. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       <attribute name="DefaultCacheResolution">0</attribute>

      From my perspective JBoss behaves the same regardless of what I set these values too. Basically, I want to force authentication everytime a certain url is accessed. I don't care if the user has already logged in or not.