Spring LDAP cache of credentials

[J Ball]

It seems that Spring Security is caching the login credentials, and I'm not sure how to prevent it. Here are the steps I take:

1. login with user/pass
2. change password to pass1
3. logout
4. login with user/pass (this shouldn't work but still does)
5. logout
6. logout with user/pass1 (this should work and does)

Notice that now the user can login with the old and new password. If I redeploy my application, then it is corrected - the old password doesn't work and the new one does.

I am using standalone ApacheDS for LDAP and Tomcat for my application.

[stuart]

I am getting exactly the same behaviour from the Ldap authentication, have you found a solution for this yet?

[stuart]

Ok so I updated to spring-security-2.0.4 and this sees to fix the issue for me, I was using 2.0.0.

[J Ball]

I am still getting this behavior with OpenLDAP using Spring Security 2.0.4. If I restart Tomcat it seems to work fine. Is anyone else seeing this?

[rasky]

You will have better chances of getting an answer if you post this in the Spring Serucity forum.

[irishfan99ko]

Were you able to find the solution to this? I'm having the same problem using OpenDS and spring security 2.0.4.

thanks.

[dilkington]

This might help - I had a similar issue relating to caching of creds and was able to get around it by specifying the following :

LdapContextSource ldapcontextsource = (LdapContextSource)ldapTemplateSUN3.getContextSour ce();
//ensure credentials are not cached
ldapcontextsource.setCacheEnvironmentProperties(fa lse);


detail from AbstractContectSource
setCacheEnvironmentProperties

public void setCacheEnvironmentProperties(boolean cacheEnvironmentProperties)

Set whether environment properties should be cached between requsts for anonymous environment. Default is true; setting this property to false causes the environment Hashmap to be rebuilt from the current property settings of this instance between each request for an anonymous environment.

Parameters:
cacheEnvironmentProperties - true causes that the anonymous environment properties should be cached, false causes the Hashmap to be rebuilt for each request.

[bsantschi]

I'm getting the same behaviour with:
- Spring LDAP 1.3.0.RELEASE
- ApacheDS 1.0.2

Setting the Cache Environment to false (contextSource.setCacheEnvironmentProperties(false )) did not change the behaviour.

Any further ideas?

[dilkington]

you might try

Code:

        ldapcontextsource.setPooled(false);

[rasky]

I honestly don't think Spring LDAP has anything to do with this problem. When authenticating (in effect: creating a new LDAP connection) Spring LDAP will always use the current credentials, regardless of whether the rest of the environment properties are cached or not.