tags:

views:

413

answers:

2

I have written a custom login module for JBoss that authenticates/authorizes requests to a web service. The first call to the service authenticates fine. I can connect a debugger to the login module and trace the code execution. However, all subsequent calls to the web service skip the login module entirely. It appears JBoss/jaas is reusing the results of the first connection.

I'm stuck. Any suggestions to get me over the hump?

A: 

Is the authentication/authorization associated with a session object? How have you set the timeout/invalidation of the session?

JBOSS is probably caching the credential somehow. You want it to skip the login module in that case. You should only invalidate it if you log out or timeout the session.

Did you test it with two separate users/browsers, each with their own session?

duffymo
I have the same thought, JBoss is caching something. Since this is a custom security module for a stateless web service, I would prefer to cache the credentials myself. I would like to disable the JBoss caching and have the login module execute every time.
IdahoX
+1  A: 

I figured it out. I was trying to setup cookie based authentication. Apparently, JBoss/Jaas caches successful authentications based on username and password and cookies are ignored. To get things working, I dropped the cookie from the web service request and replaced it with a username and password in the authentication header.

IdahoX