Hello,
I'm using Jboss version 4.0.5.GA. My EJB application accepts 2 kinds of client:
1. Http clients users connect using a web browser and authenticate with respect to the
policy "bitastarRealm" (see below for the details)
2. JaxRpc clients connect through (servlet-like) Web Services and authenticate on the
policy "bitastarRealm_noDisable"
The authentication is performed against login/passwords saved in a common database. This
means users will be able to connect through the web browser and the web services using the
same login/password
The two policies are defined as follows:
<application-policy name = "bitastarRealm">
| <authentication>
| <login-module code =
"com.bitaplus.bitastar.web.security.auth.jboss.JbossEjbLoginModule" flag =
"required">
| <module-option
name="hashAlgorithm">MD5</module-option>
| <module-option
name="hashEncoding">base64</module-option>
| <module-option
name="disableOnLoginFailure">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <application-policy name = "bitastarRealm_noDisable">
| <authentication>
| <login-module code =
"com.bitaplus.bitastar.web.security.auth.jboss.JbossEjbLoginModule" flag =
"required">
| <module-option
name="hashAlgorithm">MD5</module-option>
| <module-option
name="hashEncoding">base64</module-option>
| <module-option
name="disableOnLoginFailure">false</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
The second one is set up s.t. the users are not disable despite of the number of failed
log ons.
The problem is the authentication caching, the one defined through the parameter
"DefaultCacheTimeout":
<attribute name="DefaultCacheTimeout">172800</attribute>
|
When the JaxRpc clients authenticate in the web tier everything is fine, they authenticate
in the "bitastarRealm_noDisable" policy. But when the app accesses the business
tier the same session is re-authenticated using the cached "bitastarRealm"
policy, if the user previously logged in using the web browser. I can fix this temporarily
setting the DefaultCacheTimeout equals to zero.
I'd like to find a better solution.
Do you have any suggestion?
Thanks,
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4150734#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...