Elise Atkins wrote: > I am using jboss and I trying to change the default caching behavior for > username/passwords. I would like to force each session to reauthenticate. > > The first time the user logs in, the my login module is called and it > goes through login & commit as expected. The user's credentials are > cached. The second time the user logs in (the user has not logged out > from the first login but logs in using a different browser of a > different machine). The cached credentials are used. I believe that a > subclass of org.apache.catalina.realm.RealmBase is where the credentials > are stored but I can't determine which subclass is used and how or where > to specify a custom class that overrides the RealmBase.authenticate > method. I am using form based login and see that > org.apache.catalina.authenticator.FormAuthenticator is called. Where are > all the default classes that are instantiated specified?
The authenticator, not the realm, controls this process. The relevant classes for FORM authentication are: http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/valves/ValveBase.java http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java http://svn.apache.org/repos/asf/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java I haven't tested this but what should work is: - add a form authenticator valve as per http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html - set an attribute on the valve called cache and set it equal to false HTH, Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
