I'm trying to limitate just one "session per user" simultaneously in a portal using login modules. I create a login module that persist the username in a data source.
I'm using the UsersRolesLoginModule and my login module in the configuration.
When i log in the user with one brower, OK, it work. But when i try to login in the second brower to test, the login modules ARE NOT EXECUTED, bu the user is authenticated . No logs (neither in trace) in the server (i'm using jboss).
Maybe i could not understand the life cycle from the JAAS.
If the second browser happens to just be another window or tab of the same browser session, then the behavior is correct. The browser already knows the session cookie and has sent it to the web-server in the HTTP headers. As such, the server - after verifying the validity of the cookie - will not run the login module again.
If the second browser is a completely different browser - such as Chrome when the first browser is Firefox - then you'll need to investigate some more. Even though the source IP address is the same, Chrome and FF should be using different outbound socket ports to communicate with the web-server, and therefore, the web server should count these as completely two different connections.