1

I use JSF 2 deployed on Liberty 22.0.0.6 server.

My FORM based authentication is against LDAP using j_security_check. It is working and my user can log in/authenticate and get LTPA2 token back. And logout functionality works as well.

However, I notice the following

  1. user logs in successfully
  2. user logs out and is sent back to log in page - as expected
  3. If user attempts to log in with incorrect password, she is asked to go back to login page and provide correct credentials - as expected
  4. Repeat step 3
  5. Repeat step 3. On 3rd invalid attempt, LDAP locks the user account for 30 min
  6. User attempts to log in again before LDAP unlocks account, this time with correct credentials, and succeeds - THIS SHOULD NOT HAPPEN

I would expect that in step 6, user should not be allowed to log in even though she provided correct credentials, because LDAP has locked the account for 30 min in step 5.

Being new to Liberty server and JSF, I'm having difficulties understanding this. Is LTPA token being casheed somewhere and how to find that out?

Based on my reading, I think that the caching is happening in Liberty server, not in JSF app.

pixel
  • 9,653
  • 16
  • 82
  • 149

1 Answers1

1

Check this page Configuring the authentication cache in Liberty. There is a auth cache in Liberty with default timeout of 600s.

Quoting the page:

Any change that is made to the user registry configuration in the server.xml file clears the authentication cache. However, if changes are made to an external user registry, such as LDAP, the authentication cache is unaffected.

So in your case, Liberty doesnt know that the user account has been locked out and if it is within timeout, after successful authentication it is reusing credentials from the cache.

You can either:

  • disable cache (not really recommended due to performace)
<authentication id="Basic" cacheEnabled="false" />
  • change the timeout to smaller value, so cached items are cleared faster and risk of using invalid data is lower
 <authCache timeout="5m"/>
  • clear the authentication cache manually by using the DeleteAuthCache MBean and calling the removeAllEntries() method.

What you will choose depends on your security requirements. I'd strongly avoid disabling cache in general, and if lowering timeout is not sufficient for you, you would have to write a service that would clear the cache on demand. But be aware that it clears the whole cache.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Mind adding more context to your last point with DeleteAuthCache. I cannot find much how to do it from JSF. Thank you – pixel Apr 15 '23 at 20:27
  • @pixel You need to access `MBeanServer` from your JSF serverside code. Check for more details here https://www.ibm.com/docs/en/was-liberty/nd?topic=jmx-working-mbeans-liberty – Gas Apr 17 '23 at 17:39
  • Thanks @Gas but that bean will clear all users from the cache, not only one single user that has been locked out by LDAP. (https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__DeleteAuthCache) – pixel Apr 19 '23 at 16:03
  • 1
    @pixel yes I wrote that above - "be aware that it clears the whole cache" – Gas Apr 19 '23 at 16:33