1 Reply Latest reply on Jan 6, 2008 6:33 PM by Ragav Gomatam

    Caching name and passwordcallbackhandler

    Kristof Devos Newbie


      I have 2 applications running on 1 server instance. Both have a different loginmodule and have a different security domain.

      The first application is a management application and allows administrators to login on the 2nd application as different users. For this I've setup an SSO solution --> SAML ticket and username are sent loginmodule of the 2nd application using the standard form authentication (auto submit), but in the 2nd loginmodule when I use the name and passwordcallbackhandlers they return me username and password of my first application and not the username and samlticket. So callbacks still cache previous values.

      Putting the DefaultCacheTimeout = 0 is not an option as it affects our performance.

      Is there any way to make sure the callbacks are not cached?


        • 1. Re: Caching name and passwordcallbackhandler
          Ragav Gomatam Novice

          To my knowledge NameCallback and PasswordCallback are not cached. What is cached is Principal for the duration of the HttpSession.

          In my login module the scope of the Callback is within the

          public boolean login() throws LoginException

          so that would negate any chance of caching

          Also in the

          public void initialize(Subject subject, CallbackHandler callbackHandler,
           Map sharedState, Map options)

          method try to pass the security tokens in the sharedState Map if call backs are insufficient for your purpose. I used this sharedStateMap to pass information between login modules.