[jboss-user] [Security & JAAS/JBoss] - Re: Bug in security cache - 4.0.4.GA

[sim-smith]

"jhmjesus" wrote : It tries to propagate the caller security context including the ClientLoginModule in your login-config.xml. See at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

Hi jmhjesus,

Thanks for your reply.  I understanding what is going on here - the setup works for us most of the time, but every now and again a request fails.

In our login-config.xml (actually it's in a jboss-service.xml embedded in our JAR in an EAR) we have two LoginModules specified, the first is our own custom one, and the second is ClientLoginModule.  The ClientLoginModule is attempting to keep the security stack correct by pushing upon successful login, and popping on logout.  The problem in this case is that it is popping the wrong entry, because JaasSecurityManager has just put a new entry on the stack - the ordering is wrong.  A probable answer is to dispose of the invalid cache entry before attempting to re-authenticate.

We have been running our app with the cache timeout set to a very large number (100 days) to avoid previous problems and the app has been working perfectly, apart from the credentials being cached for inordinate lengths of time.  I've found and fixed the previous problem, but having a small timeout causes this issue for us.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039425#4039425

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039425