<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Re: LoginModule defined with cached=true, but called between web and ejb container
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/pgarner">Patrick Garner</a> in <i>PicketBox Development</i> - <a href="https://community.jboss.org/message/776126#776126">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Okay I've put together a quickstart app, but I'm still confused about something.  </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>If a method of a managed bean invokes HttpServletRequest#logout and HttpSession#invalidate and attempts to invoke a method on a secure EJB, this should be forbidden by JBoss security.  Is this true?  </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Because what I'm observing is that JBoss security only forbids such method invocation if the user's password has been changed in the underlying data source during the user's session.  As long as the user's password has not been changed the secure method can be invoked after the principal has been removed and after the session has been destroyed.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Check out the attached application.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>1.  Make a browser request against localhost/Foobar.  You will be redirected to index.xhtml.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>2.  Login</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>3.  If login is successful, you will be served loggedIn.xhtml, a facelet that allows you to change the password or log out.  If you change the password loggedIn.xhtml is reloaded.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>4.  Re-enter the password that you logged in with and click <em>Submit New Password</em>.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>5.  Click <em>Logout Failure</em>, which programmatically logs you out and ends the session prior to looking up LoginHistoryService and invoking LoginHistoryService#create.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>6.  Notice that no error occurred.  LoginHistoryService EJB, which is protected by @RolesAllowed("SYSTEM_ADMINISTRATOR"), was looked up and LoginHistoryService#create was invoked <em>after</em> programmatic logout.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>7.  Repeat steps 2 - 5 except on step 4 enter a different password.  Notice that in step 6 an error occurs, EJBAccessException: JBAS013323: Invalid User.  In the stack trace note the following:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>In both scenarios, above, the password was changed in the underlying database during the user's session.  Only difference being that in one case the password was identical to the login password and in the other case the password was changed to a different password.  In both cases HttpServletRequest#logout and HttpSession#invalidate were invoked <em>prior</em> to invoking LoginHistoryService#create.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>8.  Repeat steps 2 - 7 except on step 5 click <em>Logout Success</em> instead of <em>Logout Failure</em>.  The only difference between <em>Logout Failure</em> and <em>Logout Success</em> is that LoginHistory#create is invoked prior to HttpServletRequest#logout and HttpSession#invalidate.  What step 8 demonstrates is that JBoss Security behaves as expected when LoginHistoryService#create is invoked prior to removing the principal and destroying the session.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>It seems that in the above scenarios JBoss Security should not attempt to authenticate the user after HttpServletRequest#logout is invoked.  Instead of attempting to authenticate it should be attempting to authorize, and if the principal has been removed the error should come back as follows:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void com.foobar.service.LoginHistoryService.create(com.foobar.model.LoginHistory) of bean: LoginHistoryService is not allowed
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>instead of the FailedLoginException.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I will finish my wiki article and post it with the quickstart after this confusion is resolved.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/776126#776126">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in PicketBox Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>