Picketbox Login module is called many times after upgrading from JBoss EAP 6 to JBoss EAP 7

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7
Picketbox/Legacy security with login module
Post upgrade / migration from JBoss EAP 6
Successful authentication

Issue

Resolution

To fix the issue, set cache-type=default in the <security-domain> tag, for example:

<security-domain name="MyRealm">
    ...
</security-domain>

becomes

<security-domain name="MyRealm" cache-type="default">
    ...
</security-domain>

Root Cause

In JBoss EAP 6, JAAS caching was enabled by default in the web interface. In JBoss EAP 7 this is not the case. Caching must be explicitly defined on the security-domain.

Diagnostic Steps

The method isValid(...) in the JBossCachedAuthenticationManager.java returns null:

  public boolean isValid(Principal principal, Object credential, Subject activeSubject)
  {
     // first check cache
     DomainInfo cachedEntry = getCacheInfo(principal != null ? principal : new org.jboss.security.SimplePrincipal("null"));
    
    ...(snip)...
  
  }

The <security-domain in standalone.xml begins like this:

  <security-domain name="MyRealm">
     ...
  </security-domain>

SBR

JBoss Security

Product(s)

JBoss Enterprise Web Platform

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.