Robert Marcano [https://community.jboss.org/people/robmv] created the discussion "JBossCachedAuthenticationManager caching and JAAS modules returning different Principal" To view the discussion, visit: https://community.jboss.org/message/744109#744109 -------------------------------------------------------------- I have been trying to run two applications with EJB remoting on JBoss 7.1.x. My main problem is that currently JBoss only allows one authentication method by remoting port (one realm per port) and the EJB3 subsystem only allows one remoting port. To overcome this limitation, after a few chats on IRC, I decided to implement a realm plugin to do the remoting authentication, overriding the concept of the remote client user name to contain the application name (application name + real user name). I managed to make this work, with a subclass of RemotingLoginModule I remove the application name in order to not expose the application name when EJBs call ctx.getCallerPrincipal().getName() (changing the CallerPrincipal to be my new principal and not the one from the remoting subsystem) Now about picketbox, JBossCachedAuthenticationManager caches the authentication information using as a key the CallerPrincipal that the JAAS module returns, but uses another principal that exists before the authentication to check if the cache is valid. The problem is that when the JAAS module returns a different principal, the cache always misses. let me explain with a little pseudo code --- 1st call cached = domainCache.get(<Principal app + userName>) if (cached != null) {      authenticate();      info.callerPrincipal = <Principal userName>;      domainCache.put(info.callerPrincipal, info); } --- 2nd call cached = domainCache.get(<Principal app + userName>) ... cache misses ... cached is null The domainCache keys are the caller principal from the JAAS module, but when checking if the cache contains an entry, it uses the original principal. There is an assumption that the caller principal is the same or equals to the original principal, and I think that is wrong. I patched it in order to test my hipotessis so it stores as key the original principal, disabling tests because it fails because it is testing that the caller principal is what is stored, and this way caching works. I know my test patch is not the right solution, because it break JBossCachedAuthenticationManager API (containsKey, getCachedKeys, flushCache...), Am I right this is a problem or is there a better way to do this? The patch is simple, instead of calling      domainCache.put(info.callerPrincipal, info); use      domainCache.put(principal, info); -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/744109#744109] Start a new discussion in PicketBox Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]