[undertow-dev] Multiple logins under same user id in Wildfly 9.0.2 uses same subject

arjan tijms arjan.tijms at gmail.com
Tue Jan 5 12:32:41 EST 2016 

Hi,

I remember that in older versions of JBoss there always was a (proprietary)
API to explicitly clear the authentication cache. Maybe this could be of
help here if that API is still there.

An other option would be to try using the Java EE standard API for custom
authentication modules. This is called JASPIC and WildFly has excellent
support for those. Support is best in the latest version of WildFly, which
is 10cr5.

Kind regards,
Arjan Tijms





On Tue, Jan 5, 2016 at 9:18 AM, Sony Abraham <sony.abraham at ibsplc.com>
wrote:

> Hi,
>
>
>
> I am trying to port our existing application (in weblogic) to Jboss
> wildfly.
>
>
>
> Our application supports multiple logins under same user id but each
> logins need to be treated in different security context. For this we invoke
> the login modules by invoking j_security_check for each logins attempts. We
> use a custome Jaas login module from where the subject is created with a
> unique user token and set as name of the Principal after successful login.
> But when using wildfly, the login module is invoked only the first time and
> for the subsequent login attempts, the user subject is looked up from the
> domain cache inside JBossCachedAuthenticationManager.
>
>
>
> Further debugging into the issue i noticed below
>
> 1.      After jaas login completes, the
> org.wildfly.extension.undertow.security.AccountImpl in exchange of
> ServletRequest gets updated with the new Principal (token set during jaas
> login) and the OriginalPrincipal remains the same as the user id. This is
> fine  as expected (I hope).
>
> 2.      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(final
> AccountImpl account, final Object credential) uses the OriginalPrincipal to
> send to authenticationManager for validation. Since this is not updated, it
> will always be the original user id.  Below source code from jboss.as uses
>  account.getPrincipal() for getting the incomingPrincipal. But this is
> now changed to getOriginalPrincipal.  I think this should be the
> principal (not the OriginalPrincipal).
>
> 3.      org.jboss.security.authentication.JBossCachedAuthenticationManager
> caches the subject info against the OriginalPrincipal. Therefor it always
> returns from the cache after the first successful authentication for a user
> id and JAAS login module is never invoked after that. Shouldn't the caching
> happen against the authenticated principal set in the subject
> (CallerPrincipal).
>
>
>
> Can anyone please let me know whether this behavior change is possible ?
> Or is there any way I can configure custom class for
> org.wildfly.extension.undertow.security.JAASIdentityManagerImpl and
> org.jboss.security.authentication.JBossCachedAuthenticationManager in
> wildfly 9.0.2.
>
>
>
> Regards
>
> Sony
>
>
>
>
> DISCLAIMER: "The information in this e-mail and any attachment is
> intended only for the person to whom it is addressed and may contain
> confidential and/or privileged material. If you have received this e-mail
> in error, kindly contact the sender and destroy all copies of the original
> communication. IBS makes no warranty, express or implied, nor guarantees
> the accuracy, adequacy or completeness of the information contained in this
> email or any attachment and is not liable for any errors, defects,
> omissions, viruses or for resultant loss or damage, if any, direct or
> indirect."
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20160105/db6cff65/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16652 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/undertow-dev/attachments/20160105/db6cff65/attachment-0001.png

More information about the undertow-dev mailing list