[jboss-user] [Security & JAAS/JBoss] - Prevent Multiple Authentication Sessions for a Single Accoun

[clevelam]

Hi, 

I'm trying to determine the best way to prevent multiple authenticated sessions for a single account.  I'm using JBOSS's WebAuthentication class to do programmatic authentication.   As well as having a custom login module on the other in.   The login module verifies credentials as well as sets an in-use flag in a database.

When attempting to login a second time.  I noticed that JBOSS cached the security credentials and was not performing a full login in order to check the database status.     

I then figured out how to disable credential caching in JBOSS.

When I tried to do a second login on the next occurrence.   I noticed that jboss actually calls logout before login in.   So, the in-use flag is reset to not in use and a second user is able to log in.

Any help with this situation would be appreciate.   I would like a situation where if a user tries to login from another computer he is told that the account is in use.

Additionally, and I'm still trying to verify this requirement. (If a opens a second browser.. i want him to get a message saying in use)  If the browser clothes all together and opens up again... I want to let him back in.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4189955#4189955

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4189955