Hi, We have an web application running on JBoss 3.2.3 which authenticates against a LDAP server using form based authentication and JAAS. There is a custom login module which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule to achieve the same and has been configured using login-config.xml.
Everything works fine except when we encounter the below scenario. a) Login to the application as user "A" b) Using the Browser back button reach the login screen again (i.e without logging out ) c) Now Login as user "B". (in the same browser session) d) User "B" now has the principals of user "A" i.e. | Subject subj = SecurityAssociation.getSubject(); | the above statement retreives the Subject of user "A" rather than of user "B". (There is no problem when the user "A" does a proper log out and then re-logins as a different user "B") Can some one suggest how this problem can be resolved or how user can be prevented from doing the above action? Thanks in advance Vikram View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3892123#3892123 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3892123 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
