8 Replies Latest reply on Feb 24, 2004 8:02 PM by rickarcmind

JBoss SX seems to cache user/roles

rickarcmind Feb 24, 2004 8:02 PM

Is there anyway to tell JBoss SX not to cache user/roles data?

I am using DatabaseServerLoginModule as follows:

 <application-policy name="expressDomain">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag="required" >
 <module-option name="dsJndiName">java:/jdbc/mysql</module-option>
 <module-option name="principalsQuery">
 select passwrd from app_user where username=?
 </module-option>
 <module-option name = "rolesQuery">
 select role_name, 'Roles' from user_role where username=?
 </module-option>
 </login-module>
 </authentication>
 </application-policy>

In this application an admin can come along and edit another users roles, but this does not seem to get reflected. It seems like JBoss SX caches the roles/user mappings. Is there anyone to turn this caching off?

I downloaded the JBoss SX source from SF and walked the tree from DatabaseServerLoginModule to AbstractServerLoginModule and it does not seem like they are caching the results. I am guessing it is another class that uses DatabaseServerLoginModule that caches the roles/users.

1. Re: axis version in upcoming 3.0.1

rickarcmind Feb 24, 2004 8:02 PM (in response to rickarcmind)

Hey - NO problem. I am always very grateful of your hard work on this. I'll be patient.
Actions

2. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 24, 2004 8:42 PM (in response to rickarcmind)

I saw this

http://jboss.sourceforge.net/doc-24/ch07s09.html

The example they give seems to set the cache policy.

<mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="Security:name=JaasSecurityManager">
 <attribute name="SecurityManagerClassName">
 org.jboss.security.plugins.JaasSecurityManager
 </attribute>
 <attribute name="SecurityProxyFactoryClassName">
 org.jboss.security.SubjectSecurityProxyFactory
 </attribute>
 <attribute name="AuthenticationCacheJndiName">
 srp/SRPAuthenticationCache
 </attribute>
</mbean>

Mine does set a cache policy. Here is my version of the above
from jboss-service.xml

 <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
 name="jboss.security:service=JaasSecurityManager">
 <attribute name="SecurityManagerClassName">
 org.jboss.security.plugins.JaasSecurityManager
 </attribute>
 </mbean>

After looking at the code for org.jboss.security.plugins.JaasSecurityManagerService, it seems to default to a timed cache.

public class JaasSecurityManagerService
 extends ServiceMBeanSupport
 implements JaasSecurityManagerServiceMBean
{
 ...
 private static final String DEFAULT_CACHE_POLICY_PATH = "java:/timedCacheFactory";
...

How do I setup the timed cache? Can I just set this parameter to nothing? Will that override the timed cache?

I'll try.

3. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 24, 2004 8:45 PM (in response to rickarcmind)

 private static CachePolicy lookupCachePolicy(String securityDomain)
 {
 CachePolicy authCache = null;
 String domainCachePath = cacheJndiName + '/' + securityDomain;
 try
 {
 InitialContext iniCtx = new InitialContext();
 authCache = (CachePolicy) iniCtx.lookup(domainCachePath);
 }
 catch(Exception e)
 {
 // Failed, treat the cacheJndiName name as a global CachePolicy binding
 try
 {
 InitialContext iniCtx = new InitialContext();
 authCache = (CachePolicy) iniCtx.lookup(cacheJndiName);
 }
 catch(Exception e2)
 {
 log.warn("Failed to locate auth CachePolicy at: "+cacheJndiName
 + " for securityDomain="+securityDomain);
 }
 }
 return authCache;
 }

It looks like the lookup just returns a null if it cannot find a cache... Worth a shot
Setting cache policy blank

<attribute name="AuthenticationCacheJndiName">
 </attribute>

4. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 24, 2004 8:52 PM (in response to rickarcmind)

Setting the cache policy to nothing did not work! :(

Oh well

19:29:20,296 ERROR [Engine] CoyoteAdapter An exception or error occurred in the container during the request processing
java.lang.NullPointerException
 at org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole(JaasSecurityManager.java:318)
 at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.hasRole(JBossSecurityMgrRealm.java:339)
 at org.apache.catalina.authenticator.AuthenticatorBase.accessControl(AuthenticatorBase.java:632)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
 at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
 at org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
 at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
 at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
 at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
 at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)

Help! ;)

5. Re: JBoss SX seems to cache user/roles

wdrai Feb 25, 2004 7:22 AM (in response to rickarcmind)

You should keep the caching on. If you don't, the LoginModule will be called on every request (and it seems that the JaasSecurityManager won't work without cache).
If you want to update the password/roles of users, you have to flush the cache through JMX by calling "jboss.security:service=JaasSecurityManager".flushAuthenticationCache(securityDomain, principal). There are lots of posts in the forums explaining how to do that.
Actions
6. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 25, 2004 9:49 AM (in response to rickarcmind)

Thanks.
Actions

7. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 25, 2004 10:06 AM (in response to rickarcmind)

I did some serching around....

I came up with a code snippet

Object[] params = new Object[]{jaasDomainName, simplePrincipal};
String[] signature = new String[]{ "java.lang.String ",
"java.security.Principal "};
mbeanServer.invoke(jaasObjectName, "flushAuthenticationCache ", params,
signature);

Code from http://www.junlu.com/msg/36344.html

I'll need to do some more research. I have not worked with JMX much. But thanks for the trail.

I also found this: (JBossTestServices)

 /** Flush all authentication credentials for the java:/jaas/other security

 295 domain

 296 */

 297 3 void flushAuthCache() throws Exception

 298 {

 299 3 ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");

 300 3 Object[] params = {"other"};

 301 3 String[] signature = {"java.lang.String"};

 302 3 invoke(jaasMgr, "flushAuthenticationCache", params, signature);

 303 }

The above can be found at:
http://www.thecortex.net/clover/eg/jboss/report/org/jboss/test/JBossTestServices.html

It is sure nice having the entire code base online so it can be googled!

8. Re: JBoss SX seems to cache user/roles

rickarcmind Feb 25, 2004 11:33 AM (in response to rickarcmind)

Well I tried...

I can't seem to init the server....

 protected void init() throws Exception {

 if (initialContext == null) {

 initialContext = new InitialContext();

 }

 if (server == null) {

 String serverName = System.getProperty("testAdvantage.jboss.server.name"); //not set, this prop is null

 if (serverName == null) {

 serverName = InetAddress.getLocalHost().getHostName(); //the host name is RicksMachine

 }

 server =
 (Remote) initialContext.lookup("jmx:" + serverName + ":rmi");

 }

 }

Here is the exception I get.....

10:07:15,312 ERROR [STDERR] javax.naming.NameNotFoundException: jmx:RicksMachine:rmi not bound
10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getBinding(NamingServer.java:495)
10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getBinding(NamingServer.java:503)
10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getObject(NamingServer.java:509)
10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.lookup(NamingServer.java:282)
10:07:15,312 ERROR [STDERR] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:528)
10:07:15,312 ERROR [STDERR] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:507)
10:07:15,312 ERROR [STDERR] at javax.naming.InitialContext.lookup(InitialContext.java:347)
10:07:15,312 ERROR [STDERR] at org.appfuse.webapp.service.UserManagerJBossSpecific.init(UserManagerJBossSpecific.java:102)

Go to original post