You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Elise Atkins <el...@tavve.com> on 2006/09/05 15:19:00 UTC

How to force each session to authenticate

I am using jboss and I trying to change the default caching behavior for 
username/passwords. I would like to force each session to reauthenticate.

The first time the user logs in, the my login module is called and it 
goes through login & commit as expected. The user's credentials are 
cached. The second time the user logs in (the user has not logged out 
from the first login but logs in using a different browser of a 
different machine). The cached credentials are used. I believe that a 
subclass of org.apache.catalina.realm.RealmBase is where the credentials 
are stored but I can't determine which subclass is used and how or where 
to specify a custom class that overrides the RealmBase.authenticate 
method. I am using form based login and see that 
org.apache.catalina.authenticator.FormAuthenticator is called. Where are 
all the default classes that are instantiated specified?

The server.xml snippet specifying the Realm is:
<Server>
   <!-- Use a custom version of StandardService that allows the
  connectors to be started independent of the normal lifecycle
  start to allow web apps to be deployed before starting the
  connectors.
  -->
   <Service className="org.jboss.web.tomcat.tc5.StandardService" 
name="jboss.web" debug="99">
       <!-- A HTTP/1.1 Connector on port 8080 -->
       <Connector acceptCount="100" address="${jboss.bind.address}"
           connectionTimeout="20000" disableUploadTimeout="true"
           enableLookups="false" maxSpareThreads="75" maxThreads="150"
           minSpareThreads="25" port="8080" redirectPort="8443"/>
       <!-- A AJP 1.3 Connector on port 8009 -->
       <!-- SSL/TLS Connector configuration using the admin devl guide 
keystore -->
       <Connector address="${jboss.bind.address}" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/conf/tavve.keystore"
           keystorePass="38828tavve57" maxSpareThreads="15"
           maxThreads="100" minSpareThreads="5" port="8443"
           scheme="https" secure="true" sslProtocol="TLS"/>
       <Engine defaultHost="localhost" name="jboss.web" debug="99">
           <Realm
               
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" 
className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" 
debug="99"/>
           <Logger category="org.jboss.web.localhost.Engine"
               className="org.jboss.web.tomcat.Log4jLogger" 
verbosityLevel="WARNING"/>
           <Host autoDeploy="false" deployOnStartup="false"
               deployXML="false" name="localhost">

               <!-- Default context parameters -->
               <DefaultContext cookies="true" crossContext="true" 
override="true"/>
           </Host>
       </Engine>
   </Service>
</Server>


Thanks,
Elise

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to force each session to authenticate

Posted by Mark Thomas <ma...@apache.org>.

Elise Atkins wrote:
> I am using jboss and I trying to change the default caching behavior for
> username/passwords. I would like to force each session to reauthenticate.
> 
> The first time the user logs in, the my login module is called and it
> goes through login & commit as expected. The user's credentials are
> cached. The second time the user logs in (the user has not logged out
> from the first login but logs in using a different browser of a
> different machine). The cached credentials are used. I believe that a
> subclass of org.apache.catalina.realm.RealmBase is where the credentials
> are stored but I can't determine which subclass is used and how or where
> to specify a custom class that overrides the RealmBase.authenticate
> method. I am using form based login and see that
> org.apache.catalina.authenticator.FormAuthenticator is called. Where are
> all the default classes that are instantiated specified?


The authenticator, not the realm, controls this process. The relevant
classes for FORM authentication are:
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/valves/ValveBase.java
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java

I haven't tested this but what should work is:
- add a form authenticator valve as per
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html
- set an attribute on the valve called cache and set it equal to false

HTH,

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org