JBoss 3.2.2 final Windows XP Pro SP1 Sun JDK 1.4.1_04 I've implemented a stackable SecurityConfig bean as described chapter 8 of the JBoss documentation and added as Patch [ 828977 ]:
http://sourceforge.net/tracker/?func=detail&aid=828977&group_id=22866&atid=376687 I've included the implementation in a SAR which is inside of an EAR with a WAR, EJB and other JARs. When a user is authenticated successfully, and then the app is redeployed, the same user is obtained from the specific JaasSecurityManager cache. This wouldn't be a problem except for the Subject stored in the cache contains an instance of a Principal class which was loaded by the original classloader. Upon redeployment, this Principal class is loaded by the new classloader, and it of course is not an instance of the original Principal class. It appears that when a SecurityConfig is destroyed, its JaasSecurityManager instances should also be destroyed. Does this proposal make sense? The workaround currently is to flush the appropriate JaasSecurityManager cache when the SecurityConfig is destroyed, or wait for the cache entry to expire. However, the application config name must be hard coded because there's no way to see all the configurations managed by the SecurityConfig. Is it acceptable to return all the configurations (from a security standpoint)? Thanks. -- Chris Bonham President/CEO Third Eye Consulting, Inc. [EMAIL PROTECTED] http://www.thirdeyeconsulting.com 317.823.3686 317.823.0353 (FAX) ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
