This is strictly a login module configuration issue. The SRP login module implementation comes as a client/server pair of login modules that maintain a user based state that can be logged out immeadiately. Read the SRP section in the JBossSX chapter of the book as it talks in detail about this.
All is possible with JBoss. > Scenario: > A client connects, logs in, does a remote invocation, is validated, gets a > return, logs out, exits. The client again starts up, logs in, does a remote > invocation, OK... here it isn't really validated again it is pulled out of > the cache, no password validation, no new roles if they exist. Of course > this is because of the cache. And I want the cache as long as the client is > still logged in under the same "session". The consequence of this is that > after a person logs in, and until the cache times out, anyone can > impersonate that user all he has to know is the userid. (no special password > required) > > I would like to see a token that is sent with the Invocation that is set > when the server actually authenticates a user. It is returned to the client > and is re-sent every time the client does a remote invocation. UNTIL... the > client logs out or exits of course. > > Next Invocation after a logout or re-login, the Invocation is naked ;) > (doesn't have a token), without the token the server knows to invalidate his > cache and re-authenticate. > > Scott, any thoughts? _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
