[JBoss-user] [Security JAAS/JBoss] - Re: SSO and disable caching of security credentials fails in
I found the solution: add attribute requireReauthorization and set to true for the valve View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3862317#3862317 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3862317 --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - SSO and disable caching of security credentials fails in Jbo
I have two applications each with their own context root and each has their own JAAS security domain. I have a set of users with the same logon credentials for both security domains but with differing roles for each domain. I have enabled SSO by uncommenting the valve org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn in deploy/jbossweb-tomcat50.sar/server.xml. I have also disabled caching of security credentials by setting to zero the DefaultCacheTimeout and DefaultCacheResolution attributes of the JAAS security manager and realm mapping mbean in conf/jboss-service.xml I would expect the resultant behaviour to be that a user is asked to sign on once but roles would be determined for every access. However it appears that roles are determined at the point of sign on and not for every access. Am I missing something here? Dependant upon which resource the user attempts to access first their roles are set for the domain that the resource exists in. If they stay within that domain then everything is fine as they will only have access as their roles permit. If however they attempt to access a susequent domain where they have less roles then they can access resources that they shouldn't be able to. Is it possible (using declarative security) to have a user authenticate once across multiple applications (within a cluster) but to have authorization determined for every access? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3862277#3862277 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3862277 --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Cross-context form-based authentication
I have two applications each with their own context root and each has their own JAAS security domain. I have a set of users with the same logon credentials for both security domains but with differing roles for each domain. If I set the auth-method for both apps to BASIC then I can authenticate for one app and get the correct roles and then switch to the url of the other app and get the correct roles for that app. I do not need to re-authenticate when switching between apps. If I set the auth-method for both apps to FORM then I can authenticate for one app and get the correct roles however if I switch the url in the browser to point to the second app I have to re-authenticate myself. (I do however get the correct roles). Is there a way to get form based authentication to store the user credentials in the same ?magic way? that basic authentication does, and thus allow me to logon once? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3861683#3861683 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3861683 --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user