OK, let?s try once more.
I have a JBoss AS. 4.0.2.
I have a ServerSideLoginModule and a ClientSideLoginModule. All authentications
happens at server side i.e. inside ServerSideLoginModule. ClientSideLoginModule
just like JBoss ClientLoginModule simply propagates the necessary callbacks to
the server using SecurityAssociationActions.setPrincipalInfo().
Thank you for the tip about using first pass in ClientLoginModule. I?ll try it.
Also I have two EJB3 deployed: EJB#1 and EJB#2. They both are protected by
MySecurityDomain. The login-config.xml has these lines
| <application-policy name = "MySecurityDomain">
| <authentication>
| <login-module code = "my.package.ServerSideLoginModule"
| flag = "required" >
| </login-module>
| </authentication>
| </application-policy>
|
What happens step by step.
1) user logins to ClientSideLoginModule. The callback handler scans the finger
print and the module sets the principal info, i.e. the finger print and name
2) user calls an EJB#1 method
a) the credentials are propagated to the server
b) the ServerSideLoginModule is invoked. It authenticates the subject,
and stores the finger print in subject?s private credentials and name as
SimplePrincipal
c) somewhere here, as I think, the credentials, i.e. the finger print
and name are cached as CACHED#1
d) before the call to EJB#1 method, the current subject?s credentials
are checked against the CACHED#1. As they are equal (actually, the same) -> e)
e) the EJB#1 method is called
3) user calls EJB#2 method
a) before the call to EJB#2 method, the current subject?s credentials
are checked against the CACHED#1. As they are equal -> b)
b) the EJB#2 method is called
4) ServerSideLoginModule.logout() is not called as the timeout time has not
expired yet
5) the client shuts down the application and then launches it again
6) user logins to ClientSideLoginModule. The callback handler scans the finger
print and the module sets the principal info, i.e. the finger print. Man cannot
put the finger on the scanner ABSOLUTELY THE SAME, it goes a little bit left or
right, or up, or down. The special library handler this inaccuracy but the byte
array is still different
7) user calls an EJB#1 method
a) the credentials are propagated to the server
b) the ServerSideLoginModule is NOT invoked
c) the given credentials, i.e. the finger print and name are compared
to the credentials in CACHED#1. They are not equal
d) the ServerSideLoginModule is invoked. It authenticates the subject,
and stores the finger print in subject?s private credentials and name as
SimplePrincipal
e) the current credentials are not cached as CACHED#2 as seen in 7)h)
f) the EJB#1 method is called
g) ServerSideLoginModule.logout() is called, removing the finger print
and name from subject?s private credentials and principals
h) before calling the EJB#2 method the current subject?s credentials
are compared against the CACHED#1. They are not equal.
i) the ServerSideLoginModule is invoked. It authenticates the subject,
and stores the finger print in subject?s private credentials and name as
SimplePrincipal
j) the current credentials are not cached as CACHED#2
k) the EJB#2 method is called
l) ServerSideLoginModule.logout() is called, removing the finger print
and name from subject?s private credentials and principals
I tried flushing the cache before saving the name and finger print in
ServerSideLoginModule.commit(). There was no effect. I wrote this way:
String domain = "jmx-console";
| Principal user = new SimplePrincipal(principalName);
| ObjectName jaasMgr = new
ObjectName("jboss.security:service=JaasSecurityManager");
| Object[] params = {domain, user};
| String[] signature = {"java.lang.String", Principal.class.getName() };
| MBeanServer server = (javax.management.MBeanServer)
MBeanServerFactory.findMBeanServer(null).get(0);
| server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
I think it would be satisfactory if server cached the last authenticated
credentials.
The TRACE logging is so huge that I?d try do without it. Hope this can resolve
some understanding troubles :)
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3924494#3924494
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3924494
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
