3 Replies Latest reply on May 28, 2012 6:54 AM by pmm

Flushing credential cache from a login module?

pmm Apr 28, 2012 11:39 AM

We have a custom login module that among other things blocks an account once too many login attempts have failed. However this means that after a failed login we have to flush the credential cache in order to protect us from the following scenario:

User enters correct password, credentials are cached
User enters incorrect password several times, account is blocked
User enters correct password; because this matches the credentials in the cache, the check whether the account is blocked is skipped and the block does not work

In AS 5.1 that was easy because we could directly access the MBean. Is there a similar solution for AS 7.1?

1. Re: Flushing credential cache from a login module?

pmm Apr 29, 2012 8:13 AM (in response to pmm)

What I need is what is described in CachingLoginCredentials but for AS7. https://community.jboss.org/message/730760#730760 has a way to do it using a remoting solution, but I need something that works embedded.
Actions
2. Re: Flushing credential cache from a login module?

atijms May 28, 2012 6:37 AM (in response to pmm)

I have implemented something quite simular to this in a custom login module for JBoss AS 5/6. We would like to move to JBoss AS 7, but issues like this keep us from upgrading.

Hoping someone from the JBoss team can provide some insight here.
Actions
3. Re: Flushing credential cache from a login module?

pmm May 28, 2012 6:54 AM (in response to pmm)

It can be done with the native management interface. Over JMX only the whole cache can be flushed. However there's a pull request for AS7-4895 that fixes this.
Actions

Go to original post