You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Elise Atkins <el...@tavve.com> on 2006/09/05 15:19:00 UTC
How to force each session to authenticate
I am using jboss and I trying to change the default caching behavior for
username/passwords. I would like to force each session to reauthenticate.
The first time the user logs in, the my login module is called and it
goes through login & commit as expected. The user's credentials are
cached. The second time the user logs in (the user has not logged out
from the first login but logs in using a different browser of a
different machine). The cached credentials are used. I believe that a
subclass of org.apache.catalina.realm.RealmBase is where the credentials
are stored but I can't determine which subclass is used and how or where
to specify a custom class that overrides the RealmBase.authenticate
method. I am using form based login and see that
org.apache.catalina.authenticator.FormAuthenticator is called. Where are
all the default classes that are instantiated specified?
The server.xml snippet specifying the Realm is:
<Server>
<!-- Use a custom version of StandardService that allows the
connectors to be started independent of the normal lifecycle
start to allow web apps to be deployed before starting the
connectors.
-->
<Service className="org.jboss.web.tomcat.tc5.StandardService"
name="jboss.web" debug="99">
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector acceptCount="100" address="${jboss.bind.address}"
connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false" maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" port="8080" redirectPort="8443"/>
<!-- A AJP 1.3 Connector on port 8009 -->
<!-- SSL/TLS Connector configuration using the admin devl guide
keystore -->
<Connector address="${jboss.bind.address}" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/tavve.keystore"
keystorePass="38828tavve57" maxSpareThreads="15"
maxThreads="100" minSpareThreads="5" port="8443"
scheme="https" secure="true" sslProtocol="TLS"/>
<Engine defaultHost="localhost" name="jboss.web" debug="99">
<Realm
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
debug="99"/>
<Logger category="org.jboss.web.localhost.Engine"
className="org.jboss.web.tomcat.Log4jLogger"
verbosityLevel="WARNING"/>
<Host autoDeploy="false" deployOnStartup="false"
deployXML="false" name="localhost">
<!-- Default context parameters -->
<DefaultContext cookies="true" crossContext="true"
override="true"/>
</Host>
</Engine>
</Service>
</Server>
Thanks,
Elise
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to force each session to authenticate
Posted by Mark Thomas <ma...@apache.org>.
Elise Atkins wrote:
> I am using jboss and I trying to change the default caching behavior for
> username/passwords. I would like to force each session to reauthenticate.
>
> The first time the user logs in, the my login module is called and it
> goes through login & commit as expected. The user's credentials are
> cached. The second time the user logs in (the user has not logged out
> from the first login but logs in using a different browser of a
> different machine). The cached credentials are used. I believe that a
> subclass of org.apache.catalina.realm.RealmBase is where the credentials
> are stored but I can't determine which subclass is used and how or where
> to specify a custom class that overrides the RealmBase.authenticate
> method. I am using form based login and see that
> org.apache.catalina.authenticator.FormAuthenticator is called. Where are
> all the default classes that are instantiated specified?
The authenticator, not the realm, controls this process. The relevant
classes for FORM authentication are:
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/valves/ValveBase.java
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java
I haven't tested this but what should work is:
- add a form authenticator valve as per
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html
- set an attribute on the valve called cache and set it equal to false
HTH,
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org