[jboss-user] [Security & JAAS/JBoss] - Re: AbstractServerLogin module.logout and cached principals

maggu do-not-reply at jboss.com
Mon Aug 18 11:28:28 EDT 2008

thanks for the reply ragavgomatam. but the problem I am trying to look at is removal of the successful login from the cache. From my example above. Lets say:
1) My DefaultCacheTimeout in jboss-service.xml is set to default (30 mins).
2)I log in as john successfully (username:john, password 1234). Principal john gets cached.
3) I close my browser in 2 minutes. I open my browser after 10 mins. I am prompted with a login screen.
4) I log in, but *incorrectly*. username:john, password 1111. The error page I have defined in my web.xml kicks in.
*At this point, I also want to remove from the cache, the successful login from step 2.*
5) So, now, if john goes back to the login page and logs in correctly, I want to authenticate against my database instead of the cache.

For this I needed a way to go through the subjects, catch the correct subject, get the correct principal and remove it from the correct principal set, yes? That is where I am a bit stuck in, how does one get to all the subjects? I can see the principal being set in the commit method, but in logout, the Set is blank. I believe this is because on my second login attempt, the subject is different that the previous one (successful attempt at step 2).

Another question is: If we cannot call the logout, how do I log out of my web application? Would I need to try session invalidation? I am confused as to how this will remove the principal from JBoss cache.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171077#4171077

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4171077

More information about the jboss-user mailing list