14 Replies Latest reply on Feb 2, 2005 1:03 PM by swankjesse

    How do I flush the Jaas auth cache?

    ikestrel

      So I have a user cruising around the site and they do something that entitles them to a higher level of access--thus changing or adding to their roles in the database (I'm using the db login module). How do I make this take effect in the security manager so they can have immediate access to the other areas of the site? My understanding is that it just keeps hitting the cache and never goes back to check on the database again, so it doesn't get updated with the role changes. How can I get it to update?

      Thanks!

        • 1. Re: How do I flush the Jaas auth cache?
          starksm64

          import org.jboss.jmx.interfaces.RMIConnector;

          private static void flushAuthCache(String domain) throws Exception
          {
          String serverName = InetAddress.getLocalHost().getHostName();
          String connectorName = "jmx:" +serverName+ ":rmi";
          RMIConnector server = (RMIConnector) new InitialContext().lookup(connectorName);
          ObjectName jaasMgr = new ObjectName("Security:name=JaasSecurityManager");
          Object[] params = {domain};
          String[] signature = {"java.lang.String"};
          server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
          }

          • 2. Re: How do I flush the Jaas auth cache?
            ngandriau

            I tryed this solution but received a bad exception :
            javax.management.InstanceNotFoundException: jboss.security:name=JaasSecurityManager is not registered.
            ......

            After a look into jboss-service.xml, I decided to replace "jboss.security:name=JaasSecurityManager" by "jboss.security:service=JaasSecurityManager" and the exception disepared and the cache was flushed.

            Hope it help.
            Nicolas






            • 3. Re: How do I flush the Jaas auth cache?
              zhan

              I tried following similar solution to flush the cache, but the strange thing is: it works if I invoke from jboss jmx-console, however, it does not work correctly if I invoke from the code.
              Can anybody tell me what's wrong? is it a jboss bug, or am I missing something? here is my flush function, it gets called after I change the user role in database:

              public void flushSecurityDomain() throws EMSServerException
              {
              java.util.ArrayList servers = MBeanServerFactory.findMBeanServer(null);
              if (servers.size() != 1) throw new EMSServerException("Not exactly one server found");
              MBeanServer server = (MBeanServer) servers.get(0);
              String[] params = { "MyDomain" };
              String[] signature = { "java.lang.String" };
              try
              {
              ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
              server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
              System.out.println("After flushAuthenticationCache invoked, domain is" + params[0] );

              }
              catch (Exception e)
              {
              e.printStackTrace();
              throw new EJBException(e);
              }

              }


              Thanks!

              • 4. Re: How do I flush the Jaas auth cache?
                zhan

                Problem solved!
                It looks like this flush function has to be invoked at the last step of bean operation, if I invoke during the middle of the operation, it has some weird behavior.

                • 5. Re: How do I flush the Jaas auth cache?
                  sundaram

                  hi,

                  I tried this, its flushing currently logged-in users roles also.


                  Any other way to flush the cache?

                  -SR

                  • 6. Re: How do I flush the Jaas auth cache?
                    kondjboss

                    Try this.. this should only flush the user myName

                    Object[] params = {domain, new org.jboss.security.SimplePrincipal(myName)};
                    String[] signature = {"java.lang.String","java.security.Principal"};

                    Thanks,
                    -AJ

                    • 7. Re: How do I flush the Jaas auth cache?
                      jkuhn

                      I'm running JBoss 3.2.1, and I can't get this code to compile. I must be missing
                      a jar file or something.

                      Can somebody tell me where to import the follow classes?:

                      EMSServerException
                      MBeanServer
                      MBeanServerFactory
                      ObjectName

                      I am unable to find javax.management.* in any of my jar files.

                      • 8. Re: How do I flush the Jaas auth cache?

                        jboss-jmx.jar

                        • 9. Re: How do I flush the Jaas auth cache?

                          Uhm, jmxri.jar is Sun's Reference Implementation.

                          • 10. Re: How do I flush the Jaas auth cache?
                            jkuhn

                            ok.

                            Well... it contained the classes I was looking for, and it allowed me to compile.

                            Anyway, I abandoned that method of clearing the cache.

                            The problem at hand was that when one person logged in, he got the privs
                            of the first person that logged in. I discovered that the reason for this was
                            because the principals of the subject were not being cleared upon logout.
                            So I'm just making a new loginContext every time I log in, and that gives me
                            a null subject... problem solved.

                            Thanks anyway.










                            • 11. Re: How do I flush the Jaas auth cache?
                              loshsu

                              I also tried flushAuthenticationCache() in JaasSecurityManagerService but it's not the cache I want to flush.
                              After tracing the code a little bit further, I found out the the cache I really needs to flush is inside org.jboss.security.plugins.JaasSecurityManager.

                              Does this mean I have to customize it so I cound flush the right cache or I missed something important here?

                              Allen

                              • 12. Re: How do I flush the Jaas auth cache?
                                starksm64

                                The JaasSecurityManagerService.flushAuthenticationCache operation flushes the underlying JaasSecurityManager associated with the security domain argument, so it is what you want to use.

                                • 13. Re: How do I flush the Jaas auth cache?
                                  loshsu

                                  I tried to inject some addtional codes into JaasSecurityManager to trace the cache status. What I expected is after calling JaasSecurityManagerService.flushAuthenticationCache(String securityDomain, Principal user), the cache shouldn't contain the specified usr. But the result shows another story.

                                  1. The flush method is called in vas.fresh.struts.ChangePasswordAction.
                                  2. After that the JaasSecurityManager is called again to to see if it still has the user and it does.

                                  2004-02-12 11:45:19,043 DEBUG [vas.fresh.struts.ChangePasswordAction] flushed: allen
                                  2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] principal: allen, allowRefresh: true
                                  2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] items: [allen]
                                  2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] validateCache, info=Subject
                                  Principal: allen
                                  Principal: Roles(members:FreshAdmin)
                                  ,1076557512257
                                  2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] principal: allen, allowRefresh: false
                                  2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] items: [allen]

                                  What I can do now is to redue "DefaultCacheTimeout" and "DefaultCacheResolution", so the cache will expire very soon.
                                  But if it can be flushed right away, that will be superb.

                                  Allen

                                  • 14. Re: How do I flush the Jaas auth cache?
                                    swankjesse

                                    Note that this approach does not work in JBoss 3.2.7 (and perhaps earlier versions such as 3.2.5).

                                    See http://www.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials for the latest sample code.