0 Replies Latest reply on Feb 10, 2011 2:55 AM by veevek

    JBoss security authentication due to cache timeout vs first time authentication

    veevek

      We have a custom JAAS login module. When a protected EJB is called, JBoss calls this login module for authentication. The user credentials are cached. In the same thread when a protected EJB is called again (after cache timeout), JBoss calls this login module again.

       

      I want to be able to differentiate between these two calls in the custom login module.

       

       

      If you want to know the minute details please read through.

       

      1. DatabaseServerLoginModule is extended for authentication such that, everytime the user logs-in, it is audited in the database (new record is added).

       

      2. Once the user logs-in, the first EJB call, results in DatabaseServerLoginModule being called by JBoss, and thus the login is audited in the DB.

       

      3. All subsequent EJB calls (within next 30 minutes) from that user are authenticated by JBoss using cache. There is no audit entry in DB as expected.

       

      4. After 30 minutes, the cache times out, and the next EJB call results in authenticate call to DatabaseServerLoginModule which inserts audit record in the DB.

       

      Our requirement is, the login audits in the DB only when the user performs the login function (i.e first EJB call) and not during subsequent EJB calls.

       

       

      Ways this can be acheived (Questions)

       

      1. In the custom login module, check cause of the call user-login or JBoss cache time-out.

      Is there a flag/parameter which JBoss passes during authentication (to DatabaseServerLoginModule), which could determine, if this call is due to cache timeout?

       

      2. DefaultCacheTimeout can be set to -1, such that, only during the first call, audit is performed, all subsequent calls are handled by cache.

      This is not working as expected. The behaviour is same as when DefaultCacheTimeout is set to 0. Have anyone tried this, does this work for you?

       

      3. Is there a way to know for which EJB is this authenticate function being called? I could audit only for login EJB.

       

      Any help is appreciated!