Hello, all - we've got an issue where interface methods of our custom
login module are not being called after a first successful login. Our
guess is somewhere in the security info caching. We see it in both
JBoss-2.4.7_Tomcat-3.2.3 and jboss-3.0.3_tomcat-4.1.12 on W2K, Linux,
Solaris, using JDK 1.3.1 and JDK 1.4.1. We are using form-based
authentication, per J2EE spec.
When a user is authenticated the first time (successfully), the login()
and commit() methods of our custom LoginModule are called and all is
well. The second time the user logs in (successfully), he is
automatically logged in, however, login() and commit() are not being called.
We have custom code in login() and commit() that always need to called
during a login. If we clear the jboss security authentication cache
between logins, the methods get called again, however this solution is
undesireable since it clears all the roles for other users also and
causes us to have to query the database for the roles again.
Here are the 3.0 config files associated with the login module:
jboss-web.xml:
<jboss-web>
<security-domain>java:/jaas/docs</security-domain>
...
</jboss-web>
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>WebDOCS</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/authenticationError.jsp</form-error-page>
</form-login-config>
</login-config>
login-config.xml:
<application-policy name = "docs">
<authentication>
<login-module code = "corp.docs.security.DOCSLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/DocsDS</module-option>
</login-module>
</authentication>
</application-policy>
Here are the 2.4 config files:
auth.conf:
// The docs login module
docs {
org.jboss.security.auth.spi.ProxyLoginModule required
moduleName=corp.docs.security.DOCSLoginModule
dsJndiName="java:/DocsDS";
};
jboss.jcml:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="Security:name=JaasSecurityManager">
<attribute name
="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
<attribute name
="LoginConfig">Security:name=DefaultLoginConfig</attribute>
</mbean>
<mbean code="org.jboss.security.plugins.DefaultLoginConfig" name
="Security:name=DefaultLoginConfig">
<attribute name="AuthConfig">auth.conf</attribute>
</mbean>
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/authenticationError.jsp</form-error-page>
</form-login-config>
</login-config>
jboss-xml:
<jboss-web>
<security-domain>java:/jaas/docs</security-domain>
...
</jboss-web>
Has anyone else seen this? Is there a way to configure jboss to always
call all methods on the custom LoginModule during a login, but cache
authentication/roles during other use of the system?
Thanks,
David
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
