3 Replies Latest reply on Mar 7, 2011 12:07 AM by unnis

    Security domain cache is not flushed on session timeout

    unnis

      Security domain cache is not flushed on session timeout. If the session expires due to inactivity period , it seems that security credentials are not flushed. I have given "flushOnSessionInvalidation="true" " in jboss-web.xml.

       

        If i am invalidating the session in the context of a request security credentials are getting cleared properly. But if the user is sitting idle for some time and session is getting invalidated. But security domain cache is not flushed.

       

      Here is my configuration

       

      jboss version      :  4.2.3

       

      session timeout value in web.xml  : 5 minutes

       

      "DefaultCacheTimeout" property value of  "JaasSecurityManagerService" in jboss-service.xml is 1800 ( which is 30 minutes)

       

      Here if the user sits idle for 5 minutes, session timeout happens. But security credentials are cleared only after 30 minutes . ie, "DefaultCacheTimeout" time period.

       

      I have debuged through  "SecurityFlushSessionListener". It has been seen that this class gets Principal object only in the context of a request.

       

      The following code block in the "sessionDestroyed" method wont get executed as Principal is null

       

      if(principal != null && securityDomain != null)

                  flushAuthenticationCache(principal);