Hello, I have implemented a class that extends the UsernamePasswordLoginModule to allow authentication against our own system. It also provides authorisation by returning a group (with the name "Roles") from the getRoleSets method, which contains dynamically queried roles. This allows us to set up web applications using the realm based authentication, defining the roles in the web.xml file as the ones returned in the "Roles" object. However I notice that if I deny access to a role after a user has logged in once, the user still has access (unless I re start the JBoss server). It seems the server is caching the information for the login. I implemented something similar a while ago for a standalone Tomcat server (subclassing the RealmBase class) which seemed to check the roles each time the user logged in and assumed this would behave in a similar fashion.
currently, the set up I have: Standard JBoss 3.2.3 download. Server/default/lib has a jar file placed in it containing the implementation of the UsernamePasswordLoginModule subclass. Server/default/conf/login-config.xml has an element added to the client-login <application-policy> element to define my new class. The web application contains a jboss-web.xml file defining the <security-domain> element for client-login The web application web.xml file defines <security-constraint>,<logon-config> and <secutity-role> elements to set up the restrictions based on the named roles. Does anyone have experience of this sort of issue? Have I perhaps not correctly understood the security and am implementing this in the wrong way, or could it be a setting that I have missed somewhere? Any help much appreciated. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841501#3841501 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841501 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
