[jboss-user] [Security & JAAS/JBoss] - JAAS login/logout behaviour

abille do-not-reply at jboss.com
Fri Mar 6 06:17:46 EST 2009 

Hello all,

I would be glad to find a solution to the following problem:

I do have a client which will do subsequent calls to login and logout to an EJB 3 server. The principal can be relatively complex. There is a "test" called EJB - method, which simply returns the name of the callerPrincipal set in the sessionContext.

The following test code works:

final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class);
client.setSimple("ln=admin,oce=org_A", "passwd");
client.login();

final InitialContext ctxt = new InitialContext();
final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt
                .lookup("cm3ear/AdministrationService/remote");
System.out.println(adminService.test());

giving the expected output

ln=admin,oce=org_A.

Now I change the code to 

final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class);
client.setSimple("ln=admin,oce=org_A", "passwd");
client.login();

final InitialContext ctxt = new InitialContext();
final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt
                .lookup("cm3ear/AdministrationService/remote");
System.out.println(adminService.test());
client.logout();
System.out.println(adminService.test());


Again, I do get the expected behaviour, that is, after the output 
ln=admin,oce=org_A
an EJBAccessException is thrown for the second call into adminService.test().

When I change the code to the following:
final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class);
client.setSimple("ln=admin,oce=org_A", "passwd");
client.login();

final InitialContext ctxt = new InitialContext();
final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt
                .lookup("cm3ear/AdministrationService/remote");
System.out.println(adminService.test());
client.logout();

client.setSimple("ln=admin,oce=org_B", "passwd");
client.login();
System.out.println(adminService.test());


I would expect the following output:
ln=admin,oce=org_A
ln=admin,oce=org_B

because I loged in with a different user the second time.
After all, the output is
ln=admin,oce=org_A
ln=admin,oce=org_A,
meaning the JBoss caches the user elsewhere.

On the server side we can see that the logout method of the configured LoginModule is never called, but only the login method, and this, no matter how often the last test code runs, always exactly two times, namely once for the login name ln=admin,oce=org_A, once for the login name ln=admin,oce=org_B. Nevertheless the second login does not show up in the getCallerPrincipal method.
There is a server restart necessary to clear the cache.


Is this behaviour a bug or considered to be correct - because a user has already identified itself and it is considered to be a design error, if he must reidentify itself ?

Any answers would be appreciated ...



View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4215660#4215660

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4215660

More information about the jboss-user mailing list