Roles are cached server side. So you will have to flush the roles cache after you change the roles. You can do this via the management operation. CLI is a tool which you can use to invoke that management operation:

/subsystem=security/security-domain=Database:flush-cache

where "Database" is the security-domain name.

I am flushing security context with such code:

           final ModelControllerClient client = ModelControllerClient.Factory.create(LOCALHOST_ADDRESS, 9999

            try {

                final ModelNode address = new ModelNode();

                address.add(SUBSYSTEM, SECURITY_SUBSYSTEM);

                address.add(SECURITY_DOMAIN, ServiceIdentities.SECURITY_CONTEXT_NAME);

                final ModelNode operation = new ModelNode();

                operation.get(OPERATION).set(OPERATION_FLUSH_CACHE);

                operation.get(ADDRESS).set(address);

                final ModelNode result = client.execute(operation);

                if (!SUCCESS.equals(result.get(OUTCOME).asString())) {

                    throw new Exception();

                }

            }

            finally {

                if (client != null) {

                    client.close();

                }

            }

And couple of constants in class:

    private static final String OUTCOME = "outcome";

    private static final String SUCCESS = "success";

    private static final String ADDRESS = "address";

    private static final String OPERATION_FLUSH_CACHE = "flush-cache";

    private static final String OPERATION = "operation";

    private static final String SECURITY_DOMAIN = "security-domain";

    private static final String SECURITY_SUBSYSTEM = "security";

    private static final String SUBSYSTEM = "subsystem";

    private static final String LOCALHOST_ADDRESS = "localhost";

I have integrated that class in entity which represents user's roles. Each time user is changed in DB (for instance role is added or removed) the security cache is flushed. This is rather rare use case with changing user's roles so I do not see any performance issues.

makar potekhin wrote:

 

jaikiran pai, can I flush just only one user from cache? In the future  will be connected to a large number of clients to server. And flushing the cache, I think, will lead to large losses in performance. Or am I mistaken? I'm just a beginner in this issue.

There isn't a per user cache flush. It's per security domain. And like Lukasz says, changing roles at runtime isn't something that happens often and I don't really expect a performance issue here.

By the way, if you don't want to use CLI or your own custom code to invoke that operation, you can always use the admin console that's shipped in AS7 to flush the security cache.

Actually, it turns out you can indeed flush the cache per username. See this thread for details https://community.jboss.org/message/614696#614696. It even has the solution for your ClassNotFoundException.

Indeed I have forgot to mention that MANIFEST.MF has to contain such entry:

Manifest-Version: 1.0

Dependencies: org.jboss.as.controller-client,org.jboss.dmr