11 Replies Latest reply on Apr 26, 2013 9:36 AM by mbuamuh

    How to add or remove roles for a given user?

    juergen.zimmermann

      In JBoss 5 and 6 I flushed the authentication cache regarding a given user when his/her roles changed (additional role or removed role). However, the following code fragment doesn't work in JBoss 7. Any hint is appreciated!

       

      ObjectName jaasSecurityManager = new ObjectName("jboss.security:service=JaasSecurityManager");

      Principal user = new SimplePrincipal("myLogin");

      Object[] params = { "mySecurityDomain", user};

      String[] signature = { "java.lang.String", "java.security.Principal"};

      MBeanServer server = MBeanServerFactory.findMBeanServer(null).get(0);

      server.invoke(jaasSecurityManager, "flushAuthenticationCache", params, signature);

       

      Relevant part of the resulting stacktrace:

      ...

      Caused by: javax.management.InstanceNotFoundException: jboss.security:service=JaasSecurityManager

          at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(DefaultMBeanServerInterceptor.java:1094)

          at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:833)

          at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)

          at de.swe.util.jboss.RolesService.refresh(RolesService.java:52)

        • 1. Re: How to add or remove roles for a given user?
          emuckenhuber

          There should be an equivalent operation available through the CLI. Maybe you can see if executing a command like: '/subsystem=security/security-domain=other:flush-cache' does the trick.

          • 2. Re: How to add or remove roles for a given user?
            juergen.zimmermann

            Thank you for the hint, Emanuel. Can I invoke the CLI programmatically, e.g. inside a session bean?

            • 3. Re: How to add or remove roles for a given user?
              jaikiran

              Juergen Zimmermann wrote:

               

              Can I invoke the CLI programmatically, e.g. inside a session bean?

              Please dont call the CLI from the session bean

               

              I'll see what the CLI operation ends up calling and if that's exposed as a public API to end users.

              • 4. Re: How to add or remove roles for a given user?
                jaikiran

                What you'll require is the Management client API and invoke on that API. For that you'll need to know the API jars and other details of how to use it. The high level overview is here https://docs.jboss.org/author/display/AS7/Management+Clients. I'll let someone with more knowledge of the APIs let you know how to get started with invoking on them.

                • 5. Re: How to add or remove roles for a given user?
                  emuckenhuber

                  jaikiran pai wrote:

                   

                  What you'll require is the Management client API and invoke on that API. For that you'll need to know the API jars and other details of how to use it. The high level overview is here https://docs.jboss.org/author/display/AS7/Management+Clients. I'll let someone with more knowledge of the APIs let you know how to get started with invoking on them.

                  Yes, that's what i basically wanted to say is to execute a management operation. The CLI is just one way and i agree most likely not the best choice when used in a session bean

                   

                  You maybe want to look into using the native client: https://github.com/jbossas/jboss-as/blob/master/controller-client/src/main/java/org/jboss/as/controller/client/ModelControllerClient.java - to execute the operation mentioned above. Where you would have to connect to the native management socket.

                  • 6. Re: How to add or remove roles for a given user?
                    emuckenhuber

                    I hope there is not typo - but in a nutshell it should work like:

                     

                            final ModelControllerClient client = ModelControllerClient.Factory.create("localhost", 9999);
                            try {
                                final ModelNode address = new ModelNode();
                                address.add("subsystem", "security");
                                address.add("security-domain", "other");
                    
                                final ModelNode operation = new ModelNode();
                                operation.get("operation").set("flush-cache");
                                operation.get("address").set(address);
                    
                                final ModelNode result = client.execute(operation);
                    
                                if(! "success".equals(result.get("outcome").asString())) {
                                    throw new IllegalStateException("operation failed");
                                }
                    
                            } finally {
                                if(client != null) {
                                    client.close();                
                                } 
                            }
                    

                     

                    You'll most likely need the 'org.jboss.as:jboss-as-controller-client' maven artifact and add the 'org.jboss.as.controller-client' module dependency. I guess we can also look into the option to provide a in-jvm client.

                    • 7. Re: How to add or remove roles for a given user?
                      juergen.zimmermann

                      Emanuel, I added "Dependencies: org.jboss.as.controller-client,org.jboss.dmr" to Manifest.mf to make it work. Thank you very much. It would be nice if these two dependencies could be provided out of the box.

                       

                      https://issues.jboss.org/browse/AS7-763 mentions that the operation "flush-cache" could take an argument to flush not the whole cache, but only the part of the given principal (resp. username). Can you advice me, how to add a string argument to the "flush-cache" operation, please?

                      • 8. Re: How to add or remove roles for a given user?
                        emuckenhuber

                        Juergen Zimmermann wrote:

                         

                        Emanuel, I added "Dependencies: org.jboss.as.controller-client,org.jboss.dmr" to Manifest.mf to make it work. Thank you very much. It would be nice if these two dependencies could be provided out of the box.

                        Hmm, yeah that could make sense.

                         

                        Juergen Zimmermann wrote:

                         

                        https://issues.jboss.org/browse/AS7-763 mentions that the operation "flush-cache" could take an argument to flush not the whole cache, but only the part of the given principal (resp. username). Can you advice me, how to add a string argument to the "flush-cache" operation, please?

                        Simply add: operation.get("principal").set(username); to the example above. This just adds a simple parameter - in case you are interested there are some addtional information for the detyped operation requests here: http://community.jboss.org/wiki/FormatOfADetypedOperationRequest

                        • 9. Re: How to add or remove roles for a given user?
                          frolovmx

                          I have managed to flush the authentication cache using javax.management API:

                           

                          private void flushAuthenticationCache(final String userid) {
                                  final String domain = "my-security-domain";
                                  try {
                                      ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + domain);
                                      Object[] params = {userid};
                                      String[] signature = {"java.lang.String"};
                                      MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
                                      server.invoke(jaasMgr, "flushCache", params, signature);
                                  } catch (Throwable e) {
                                      Throwables.propagate(e);
                                  }
                              }
                          

                           

                          If I think about portability, I would prefer javax.management API over org.jboss.dmr.

                          • 10. Re: How to add or remove roles for a given user?
                            mbuamuh

                            Maxim, i used the javax.management API as you specified but i am getting the following exception Is there any thing i need to do more to avoid that exception? Like some configurations to my standalone.xml file?

                             

                            Caused by:

                            java.util.NoSuchElementException

                            : No child 'request-properties' exists

                            at org.jboss.dmr.ModelValue.requireChild(

                            ModelValue.java:362

                            )

                            at org.jboss.dmr.ObjectModelValue.requireChild(

                            ObjectModelValue.java:298

                            )

                            at org.jboss.dmr.ModelNode.require(

                            ModelNode.java:812

                            )

                            at org.jboss.as.jmx.model.ModelControllerMBeanHelper.invoke(

                            ModelControllerMBeanHelper.java:355

                            )

                            at org.jboss.as.jmx.model.ModelControllerMBeanHelper.invoke(

                            ModelControllerMBeanHelper.java:342

                            )

                            at org.jboss.as.jmx.model.ModelControllerMBeanServerPlugin.invoke(

                            ModelControllerMBeanServerPlugin.java:108

                            )

                            at org.jboss.as.jmx.PluggableMBeanServerImpl.invoke(

                            PluggableMBeanServerImpl.java:246

                            )

                            at com.ec.eccore.util.JmxHelper.flushAuthenticationCacheJBoss7(

                            JmxHelper.java:216

                            ) [com.ec.eccore-ejb-0.0.1-SNAPSHOT.jar:]

                             

                            • 11. Re: How to add or remove roles for a given user?
                              mbuamuh

                              Hi Emanuel,

                               

                              Do you know how a similar method for getAuthenticationCachePrincipals will be written in jboss 7? If similar to the flushAuthenticationCache, what operation will be used in this case? Thank you.

                               

                              MBeanServer server = ...;

                              String jaasMgrName = "jboss.security:service=JaasSecurityManager";

                              ObjectName jaasMgr = new ObjectName(jaasMgrName);

                              Object[] params = {domainName};

                              String[] signature = {"java.lang.String"};

                              List users = (List) server.invoke(jaasMgr, "getAuthenticationCachePrincipals",

                                                                params, signature);