[jboss-user] [Security & JAAS/JBoss] - Password is changed after login
atamur
do-not-reply at jboss.com
Wed Sep 6 04:59:17 EDT 2006
I needed permanent login feature for my web app.
I did it as follows:
Created login module PermanentLoginModule that authenticates user over special table in db (user_id, secret). After usual authntication by username and pasword, if a special checkbox was checked a cookie with secret is stored in user`s browser and this secret is also stored in db.
When this user comes back my login.jsp forwards user to j_security_check with user_id as name and secret as password. Then, request gets into PermanentLoginModule and user is authenticated. As a security preventive measures this secret is immediatly changed to a new one.
Well, until now looks pretty logical =)
But than I got a serious problem. AFAIU the root of the problem is that Jboss stores inside credentials entered by user (user_id and out of date secret) and after 30 minutes, when internal cache expires it tries to test this credentials over db. And it fails, because user already has new secret.
So. This is my problem (if someone got to this point =)).
Please tell me, what can be done?
And maybe, just maybe I'm wrong and jboss doesn't store entered credentials ...
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3969666#3969666
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3969666
More information about the jboss-user
mailing list