It's not so bad as sessions expire. You can set the following properties in <bean id="proxyPreAuthenticatedProcessingFilter" class="com.jaspersoft.jasperserver.api.security.externalAuth.preauth.BasePreAuthenticatedProcessingFilter">[/code]<property name="checkForPrincipalChanges" value="true"/><property name="invalidateSessionOnPrincipalChange" value="true"/> These properties are coming from Spring class of which the bean class is a subclass.
Note that unless you specifically use external authentication to authenticate users via rest or webservices, proxyBasicProcessingFilter can me completely removed from the sample file. As a result of this, delegatingPreAuthenticatedFilter in applicationContext-security-web.xml will fall back on the non-external basicProcessingFilter behaviour. Sample file is provided just as that. It includes more scenarios than you might need.
James, It's a definite bug which was introduced in 5.1. I opened an issue and linked it to the original bug, which I re-opened. So far, the engineer works to make it fixed in 5.6. Sorry for any inconvenience. Dmitriy
Try with a simpler regex first to see if it works. ^d{5,}$ for example.
Most likely it won't, but still.
Have you enable some js password encryption?
encryption.on=true in security-config.properties?
Please note that password hashing has been broken. The part that is broken hashing-wise is user creation and user reading from db. We plan to fix it in 5.6 or 6.0. Sha-1/MD5 are deprecated for password encryption. They are considered as broken. Please use SHA-2 or better. I have only heard of other possibilities like scrypt, bcrypt.