[jboss-user] [Security & JAAS/JBoss] - Authentication policies conflict

tremalnaik do-not-reply at jboss.com
Wed May 14 09:23:52 EDT 2008 

Hello,
I'm using Jboss version 4.0.5.GA. My EJB application accepts 2 kinds of client:

1. Http clients users connect using a web browser and authenticate with respect to the policy "bitastarRealm" (see below for the details)
2. JaxRpc clients connect through (servlet-like) Web Services and authenticate on the policy "bitastarRealm_noDisable"

The authentication is performed against login/passwords saved in a common database. This means users will be able to connect through the web browser and the web services using the same login/password

The two policies are defined as follows:

    <application-policy name = "bitastarRealm">
  |        <authentication>
  |           <login-module code = "com.bitaplus.bitastar.web.security.auth.jboss.JbossEjbLoginModule" flag = "required">
  |        		<module-option name="hashAlgorithm">MD5</module-option>
  |        		<module-option name="hashEncoding">base64</module-option>
  |        		<module-option name="disableOnLoginFailure">true</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <application-policy name = "bitastarRealm_noDisable">
  |        <authentication>
  |           <login-module code = "com.bitaplus.bitastar.web.security.auth.jboss.JbossEjbLoginModule" flag = "required">
  |        		<module-option name="hashAlgorithm">MD5</module-option>
  |        		<module-option name="hashEncoding">base64</module-option>
  |        		<module-option name="disableOnLoginFailure">false</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 

The second one is set up s.t. the users are not disable despite of the number of failed log ons.

The problem is the authentication caching, the one defined through the parameter "DefaultCacheTimeout":

      <attribute name="DefaultCacheTimeout">172800</attribute>
  | 

When the JaxRpc clients authenticate in the web tier everything is fine, they authenticate in the "bitastarRealm_noDisable" policy. But when the app accesses the business tier the same session is re-authenticated using the cached "bitastarRealm" policy, if the user previously logged in using the web browser. I can fix this temporarily setting the DefaultCacheTimeout equals to zero.
I'd like to find a better solution.

Do you have any suggestion?

Thanks,

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4150734#4150734

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4150734

More information about the jboss-user mailing list