I haven't dealt with HTTP authentication, so I'm not sure if there are any
problems with that. But if you are using the DatabaseServerLoginModule, the
reason is probably that it caches userIDs and passwords. It's been a while
since I've looked at the code, but it might be reading the user ID + new
password out of the database when it can't authenticate via the old ones.
At any rate, the old password should stop working within 30 minutes, which
is the default cache time. As far as I can tell, the only way to change the
cache time is to implement your own cache policy and write your own MBean to
bind it to the appropriate place in JNDI on startup. (Don't ask me how to
do that last thing, I'm just regurgitating what I read somewhere. :)
If anybody has a great solution to this problem, I'd be interested to hear
about it as well!
Mike
----- Original Message -----
From: "Shamis, Leonid" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 7:01 PM
Subject: [JBoss-user] JBoss/JAAS - changing credential (password) with FORM
based authentication.
> Hello,
>
> I work with JBoss-2.2.2_Tomcat-3.2.2 and J2SE 1.3.1, Windows NT 4 (SP6).
> All my Entity EJB's are CMP.
>
> I've implemented JAAS Based Security with FORM based authentication that
> uses a JDBC based LoginModule defined in auth.conf.
>
> User logs in with his "username" and password "XXXXXX" (using logon.jsp,
see
> below). If the parameters are correct, the user is authenticated and
> authorized.
> User can then access protected resources.
>
> I tried to introduce a "My Details" form where user can change the
password.
> After populating password and hitting Submit the password is stored in the
> DB.
> User then logs out by hitting Logoff, and is forwarder to logoff.jsp:
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
--
> <%@ page import="web.BeanManager" %>
> <%
> request.getSession().invalidate();
> HttpSession newSession = request.getSession(true);
> %>
> <center>
> <h3>Thank you for participating in our Competition</h3>
> <h3><a href="<%=request.getContextPath()%>/main">Logon</a>
> </center>
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
--
>
> By hitting Logon again, user is forwarded to "/main" and logon.jsp appears
> to request user to authenticate himself (populate username and password):
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
--
> <center>
> <h3><p>Please enter your username and password and click Submit.</h3>
> <br><br><form action="j_security_check" method=post>
> <table>
> <tr>
> <td align="center" >
> <table border="0">
> <tr>
> <td><b>Username:</b></td>
> <td>
> <input type="text" size="15" name="j_username">
> </td>
> </tr>
> <tr>
> <td><b>Password:</b></td>
> <td>
> <input type="password" size="15" name="j_password">
> </td>
> </tr>
> <tr>
> <td></td>
> <td align="right">
> <input type="submit" value="Submit">
> </td>
> </tr>
> <tr>
> <td><br></td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </form>
> </center>
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
--
>
> So far everything works fine.
>
> Now the problem:
>
> User can still use his PREVIOUS password to login to application !!!
>
> Is it because I use CMP Entity EJB to update the user's password?
> Should I destroy some sort of context to force new password to become
> active?
>
> Again, password is updated in DB to new password, but user can still log
in
> with the old one !!!
>
> You help will be much appreciated.
>
> Best Regards,
>
> Leonid Shamis
> --------------------
> Directory Technology Pty. Ltd.
> Team Leader - Publishing On-Line System
>
> Phone: +61 3 9856 5352
> Fax: +61 3 9856 5000
> E-Mail: mailto:[EMAIL PROTECTED]
>
>
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
