6 Replies Latest reply on Mar 3, 2008 8:46 AM by mcalello

How to dynamically change security role without logging out

rickkw May 6, 2005 6:47 PM

Hi,

I have a custom LoginModule derived from some sample code. There, I create a SimpleGroup, "Roles", to store security roles used by my web applications. This "Roles" is then set into the Subject's principal.

I also have a group of Web applications that are hooked together with Single-Sign On with each web application requiring a different security role that can be found in the "Roles" group. Everything works as expected.

Now, I am trying to allow a user to change the security roles within a web application session.

I use SecurityAssociation.getSubject() to get back the current Subject. From the Subject, I retrieved back the Group, "Roles". Finally, from this "Roles" Group, I added additional security roles in the form of Principal.

However, I notice that Tomcat returns status 403, forbidden, for resources that are protected by security roles that I newly added within a user session. It does not seem to look into what's in "Roles" Group anymore until I log out the current user, and log back in.

Does Tomcat keep its own cache of user's security roles separate from what's stored in the Subject? Does this have anything to do with SSO? What am I missing?

Thanks,
--
Rick

1. Re: How to dynamically change security role without logging

starksm64 May 7, 2005 10:14 AM (in response to rickkw)

There is no support for refreshing an existing login's associated roles without reauthenticating.
Actions
2. Re: How to dynamically change security role without logging

rickkw May 9, 2005 4:51 PM (in response to rickkw)

Thanks for the quick response Scott. I am wondering if JBossGenericPrincipal can be made a public class. The security roles I have is stored in my callerPrincipal. I am experimenting subclassing JBossSecurityMgrRealm, and in the getCachedPrincpal method, return a subclass of JBossGenericPrincipal that overrides getRoles() and hasRole(). I am currently stuck at JBossGenericPrincipal being a package private class that I cannot subclass.

Thanks,
--
Rick
Actions
3. Re: How to dynamically change security role without logging

rickkw May 9, 2005 8:22 PM (in response to rickkw)

Scott,

One more note: I tested the approach of subclassing JBossSecurityMgrRealm as mentioned above. It works well. I have to recompile JBoss to make JBossGenericPrincipal a public class, along with making public a few of its methods. Would you please make this class public? I am using JBoss 4.0.1.

P.S. I would need

public class JBossGenericPrincipal
public JBossGenericPrincipal(...)
public Principal getAuthPrincipal()
public Principal getCallerPrincipal()
public Object getCredentials()
public Subject getSubject()

Thanks,
--
Rick
Actions
4. Re: How to dynamically change security role without logging

starksm64 May 10, 2005 8:02 AM (in response to rickkw)

I don't think I want to support that level of integration as its too tightly coupled to the implementation. There should be some type of refresh capability of the user roles. Create a feature request in jira with your changes and I'll see how this can be supported without requiring subclassing and access to the user representation.

http://jira.jboss.com/jira/browse/JBAS
Actions
5. Re: How to dynamically change security role without logging

anil.saldhana Nov 7, 2007 2:43 PM (in response to rickkw)

Look at the JIRA issue:
http://jira.jboss.com/jira/browse/JBAS-1802

The workaround is in:
http://anil-identity.blogspot.com/2007/11/tip-11-refresh-security-roles-within.html

For JBoss5 going forward, we may solve this in a better way than the proposed workaround.
Actions
6. Re: How to dynamically change security role without logging

mcalello Mar 3, 2008 8:46 AM (in response to rickkw)

We were able to finally workaround this issue without resorting to turning off all authentication caching in 4.2.2GA.

First I flush the authentication cache for the user who needs their roles refreshed.
http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

Then use the new WebAuthentication class that Anil added (see:
http://wiki.jboss.org/wiki/Wiki.jsp?page=WebAuthentication)
to logout the user and programmatically log them right back in.

Anil, do you see any drawbacks to this approach?

Hope this helps!
-Marc
Actions

Go to original post