Interesting and odd log entries - especially since I don't know what a good "run" should look like. I followed the security FAQ and added the necessary log4j config entries. After trundling through the info, I still see: * multiple access to the login module's login() method; and * inserts into the cache with different subject reference Id
For example, I see the actual login: | 2007-02-08 14:58:03,121 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null | 2007-02-08 14:58:03,322 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true | 2007-02-08 14:58:03,322 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: U174791 is authenticated | 2007-02-08 14:58:03,332 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , [EMAIL PROTECTED],subject=18143033} | Then access to the next URL, where the "hit" on the web app checks (and finds) the subject in cache: 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for SSO cookie | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for cached principal for D5612028A309EA8A4A5889D393B6251A | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Found cached principal 'U174791' with auth type 'FORM' | But then access from web-app to EJB to EJB in another ear (all with same jaas policy configured) produces: | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791 | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, [EMAIL PROTECTED],subject=null} | 2007-02-08 14:59:09,928 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791 | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , [EMAIL PROTECTED](23167560)[EMAIL PROTECTED](Roles(members:xxx,yyy,zzz))[EMAIL PROTECTED](U174791),[EMAIL PROTECTED],expirationTime=1170961028413], activeUsers=0 | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , [EMAIL PROTECTED](23167560)[EMAIL PROTECTED](Roles(members:xxx,yyy,zzz))[EMAIL PROTECTED](U174791),[EMAIL PROTECTED],expirationTime=1170961028413] | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, principal=U174791 | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(acol-core-policy), size=10 | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(acol-core-policy), authInfo=AppConfigurationEntry[]: | [0] | LoginModule Class: ca.acol.core.security.login.JBossLoginModule | ControlFlag: LoginModuleControlFlag: sufficient | Options:name=auth_ds, value=auth | | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, [EMAIL PROTECTED], subject=Subject(2223107)[EMAIL PROTECTED](Roles(members:xxx,yyy,zzz))[EMAIL PROTECTED](U174791) | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] updateCache, inputSubject=Subject(2223107)[EMAIL PROTECTED](Roles(members:xxx,yyy,zzz))[EMAIL PROTECTED](U174791) | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Inserted cache info: [EMAIL PROTECTED](17676813)[EMAIL PROTECTED](Roles(members:xxx,yyy,zzz))[EMAIL PROTECTED](U174791),[EMAIL PROTECTED],expirationTime=1170961148415] | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , [EMAIL PROTECTED],subject=28983194} | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null | | Just to clarify wars/jars/ears involved: .ear - .war - struts-based web application - .jar - contains application-specific EJBs payment.ear - payment.jar - real-time payment interface .war invokes .jar to perform custom workflow, including payment. Thus .jar calls EJBs in .jar. Various incantations of security-domain have been used all with the same application policy. Log snippets above are from with .war and payment.jar with the security-domain set to acol-core-policy. I have tried adding the same security policy to .jar, but that just increases the number of re-authentication calls. -- James - View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013244#4013244 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4013244 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
