I'm have a problem that I'm unable to solve regarding credentials caching. I have an ldap user that can authenticate with ldap but is not authorized to use the application. I want to let the user know that they have authenticated but failed authorization and to trying logging in with another username and password that has authorization. The problem is that the credentials are cached and I cannot get JBoss to serve the login page again.
I'm using form based authentication with the j_security_check action combined with the LdapLoginModule for jboss. Here's what my security-service.xml looks like.
<!-- JAAS security manager and realm mapping --> <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute> <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute> <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout in seconds. If you want to disable caching of security credentials, set this to 0 to force authentication to occur every time. This has no affect if the AuthenticationCacheJndiName has been changed from the default value. --> <attribute name="DefaultCacheTimeout">0</attribute> <!-- DefaultCacheResolution: Specifies the default timed cache policy resolution in seconds. This controls the interval at which the cache current timestamp is updated and should be less than the DefaultCacheTimeout in order for the timeout to be meaningful. This has no affect if the AuthenticationCacheJndiName has been changed from the default value. --> <attribute name="DefaultCacheResolution">0</attribute> </mbean>
From my perspective JBoss behaves the same regardless of what I set these values too. Basically, I want to force authentication everytime a certain url is accessed. I don't care if the user has already logged in or not.