Hi ICQuestions,
Just to elaborate more on the following two entries in JAAS config file
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
sufficient - If the CRXLoginModule succeeds then the overall login succeeds, and control returns to the application. If the login fails then it continues to execute the other login modules in the list which is LDAPLoginModule.
Now suppose user is not present in CRX then LDAPLoginModule will be asked to authenticate the user directly from LDAP.
Since LDAPLoginModule is given a flag "required" which means - LDAPLoginModule must authenticate the user. But if it fails, the authentication nonetheless continues with the other login modules in the list (if any) and there is none other, so it fails globally.
Suppose now LDAPLoginModule is successfully able to authenticate the user from LDAP then it will sync it back to CRX if configured that way in JAAS config file.
Apart from this a cache of successful logins is maintained whose size and duration is configured by
1. cache.expiration (this controls how long successful logins stays in cache) WeakHashMap and LRUMap based implementation under the hood.
2. cache.maxsize(how many)
Now considering your case where you have deleted the user from CRX, CRXLoginModule will fail this time and the LDAPLoginModule will authenticate the user either directly from "cache" or from LDAP iself.
consider providing "optional" flag to CRXLoginModule and make the cache.expiration as 1(second).
Then try to login again after deleting user from CRX. you will see login will succeed, as now onwards LDAPLoginModule is consulted every time irrespective of what.
So you should be able to authenticate with your current settings even if you deleted the user from CRX.
Hope this is helpful.
Thanks,
Rakesh
