Patrick Garner [
https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit:
https://community.jboss.org/message/776126#776126
--------------------------------------------------------------
Okay I've put together a quickstart app, but I'm still confused about something.
If a method of a managed bean invokes HttpServletRequest#logout and HttpSession#invalidate
and attempts to invoke a method on a secure EJB, this should be forbidden by JBoss
security. Is this true?
Because what I'm observing is that JBoss security only forbids such method invocation
if the user's password has been changed in the underlying data source during the
user's session. As long as the user's password has not been changed the secure
method can be invoked after the principal has been removed and after the session has been
destroyed.
Check out the attached application.
1. Make a browser request against localhost/Foobar. You will be redirected to
index.xhtml.
2. Login
3. If login is successful, you will be served loggedIn.xhtml, a facelet that allows you
to change the password or log out. If you change the password loggedIn.xhtml is
reloaded.
4. Re-enter the password that you logged in with and click +Submit New Password+.
5. Click +Logout Failure+, which programmatically logs you out and ends the session prior
to looking up LoginHistoryService and invoking LoginHistoryService#create.
6. Notice that no error occurred. LoginHistoryService EJB, which is protected by
@RolesAllowed("SYSTEM_ADMINISTRATOR"), was looked up and
LoginHistoryService#create was invoked +after+ programmatic logout.
7. Repeat steps 2 - 5 except on step 4 enter a different password. Notice that in step 6
an error occurs, EJBAccessException: JBAS013323: Invalid User. In the stack trace note
the following:
PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070:
Password invalid/Password required
In both scenarios, above, the password was changed in the underlying database during the
user's session. Only difference being that in one case the password was identical to
the login password and in the other case the password was changed to a different
password. In both cases HttpServletRequest#logout and HttpSession#invalidate were invoked
+prior+ to invoking LoginHistoryService#create.
8. Repeat steps 2 - 7 except on step 5 click +Logout Success+ instead of +Logout
Failure+. The only difference between +Logout Failure+ and +Logout Success+ is that
LoginHistory#create is invoked prior to HttpServletRequest#logout and
HttpSession#invalidate. What step 8 demonstrates is that JBoss Security behaves as
expected when LoginHistoryService#create is invoked prior to removing the principal and
destroying the session.
It seems that in the above scenarios JBoss Security should not attempt to authenticate the
user after HttpServletRequest#logout is invoked. Instead of attempting to authenticate it
should be attempting to authorize, and if the principal has been removed the error should
come back as follows:
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void
com.foobar.service.LoginHistoryService.create(com.foobar.model.LoginHistory) of bean:
LoginHistoryService is not allowed
instead of the FailedLoginException.
I will finish my wiki article and post it with the quickstart after this confusion is
resolved.
--------------------------------------------------------------
Reply to this message by going to Community
[
https://community.jboss.org/message/776126#776126]
Start a new discussion in PicketBox Development at Community
[
https://community.jboss.org/choose-container!input.jspa?contentType=1&...]