5.2.5 Validity period of user authentication and the inheritance of authentication states
The validity period of JAAS user authentication is from when the login method succeeds to when the logout method is invoked.
The J2EE Web application uses the HttpSession object to control virtual sessions with the users. To handle a number of HTTP protocol communications as a series of sessions, it is necessary to associate the HttpSession object with the requesting user by modifying the cookie or the URL in the Web application.
In the integrated user management framework, the successful user authentication status is stored in the HttpSession object. If a request uses the same HttpSession object and is made in the same realm, the end user can skip entering the user authentication information (user ID and password), as the authentication information entered at the first login and the authentication state are automatically inherited.
However, this will not work when the login modules are used in the order listed in the following table. For the functional details of each login module, see 5.3 User authentication mechanism based on Cosminexus standard login modules.
|
Order of use |
Used login module |
|---|---|
|
First login |
|
|
Second and subsequent logins |
|
When the login modules are used in the order listed in the following table, the password must be stored in the integrated user management session by the login module used at the first login so that the end user can skip entering the authentication information at the second and subsequent logins using WebPasswordLDAPLoginModule. In addition, the password for the second and subsequent logins using WebPasswordLDAPLoginModule must be the same as the first login. The administrators can use jaas.conf (the JAAS configuration file) and ua.conf (the integrated user management configuration file) to specify whether to store passwords and whether to encrypt the stored passwords. For details about the specification method in jaas.conf, see 14.2.1 jaas.conf (JAAS configuration file). For details about the specification method in ua.conf, see 14.2.2 ua.conf (integrated user management configuration file).
|
Order of use |
Used login module |
|---|---|
|
First login |
|
|
Second and subsequent logins |
|
When the stored passwords are not encrypted, they may be leaked if the memory contents used by the J2EE server are referenced by illegal means. If the session failover functionality is active, the session information including passwords flows throughout the network, so passwords can be intercepted. While encryption reduces the risk of password leakage, it affects the performance. Determine whether to encrypt passwords by taking into account the security and performance requirements. Note that the Triple DES encryption algorithm is used to encrypt passwords.