We implemented a CustomLoginModule extends UsernamePasswordLoginModule for JAAS in JBoss EAP 6.2.
The login module contains functionality that needs to be handled every login and it appears that for some logins, the CustomLoginModule is not called.
We notice that when a user logs in at two separate locations, the second login never enters the CustomLoginModule methods: initialize, login, logout, getRoleSets, getUsersPassword, createPasswordHash, validatePassword .
It seems like the logged in user's password and roles are cached and reused.
If the second user logs in with a wrong password, the validatePassword method is called.
So my question is: how can I force every login to go through the CustomLoginModule?
I was confused by possible solutions implementing a custom JaasSecurityManagerService mbean, or at least define it's DefaultCacheTimeout: link and link
The answer proved much simpler, and I got it from here (scroll to the answer by Darren Jones for Wildfly, complemented by Artur Mioduszewski for EAP6.1).
I use EAP 6.2, so used the following configuration in my standalone.xml
<subsystem xmlns="urn:jboss:domain:infinispan:1.4">
<cache-container name="security" default-cache="auth-cache">
<local-cache name="auth-cache" batching="true">
<expiration lifespan="*INSERT_CACHE_TIMEOUT_IN_MILLIS"/>
</local-cache>
</cache-container>
...
<security-domain name="myJaasDomain" cache-type="infinispan">
Setting the timeout to 0 shows undefined behaviour, so I used 1 ms.