JAAS CustomLoginModule not called for second location a user logs in

StackOverflow https://stackoverflow.com/questions/21280812

Question

We implemented a CustomLoginModule extends UsernamePasswordLoginModule for JAAS in JBoss EAP 6.2.

The login module contains functionality that needs to be handled every login and it appears that for some logins, the CustomLoginModule is not called.

We notice that when a user logs in at two separate locations, the second login never enters the CustomLoginModule methods: initialize, login, logout, getRoleSets, getUsersPassword, createPasswordHash, validatePassword . It seems like the logged in user's password and roles are cached and reused.

If the second user logs in with a wrong password, the validatePassword method is called.

So my question is: how can I force every login to go through the CustomLoginModule?

Was it helpful?

Solution

I was confused by possible solutions implementing a custom JaasSecurityManagerService mbean, or at least define it's DefaultCacheTimeout: link and link

The answer proved much simpler, and I got it from here (scroll to the answer by Darren Jones for Wildfly, complemented by Artur Mioduszewski for EAP6.1).

I use EAP 6.2, so used the following configuration in my standalone.xml

<subsystem xmlns="urn:jboss:domain:infinispan:1.4">
    <cache-container name="security" default-cache="auth-cache">
        <local-cache name="auth-cache" batching="true">
            <expiration lifespan="*INSERT_CACHE_TIMEOUT_IN_MILLIS"/>
        </local-cache>
    </cache-container>
...
<security-domain name="myJaasDomain" cache-type="infinispan">

Setting the timeout to 0 shows undefined behaviour, so I used 1 ms.

OTHER TIPS

The key to answer this problem is the security-domain configuration. The cache-type="infinispan" (or "default" as main examples around the web) activates the use of JBossCachedAuthenticationManager. It stores the data of recent logins (with credentials) and compares input with cached entries. If a cached entry is found it validates if user/password is valid. If valid, it continues without executing the authenthicate method again.

If you remove the cache-type tag as @steven suggested, you remove the use of the cache when checking the credentials and then force the authentication mechanism again.

Messing with the configuration is not a good idea if your settings include more security-domains.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top