-
1. Re: Authentication cache + Roles + Database = Problem
jaikiran May 24, 2012 10:26 AM (in response to bravefox)1 of 1 people found this helpfulRoles are cached server side. So you will have to flush the roles cache after you change the roles. You can do this via the management operation. CLI is a tool which you can use to invoke that management operation:
/subsystem=security/security-domain=Database:flush-cache
where "Database" is the security-domain name.
-
2. Re: Authentication cache + Roles + Database = Problem
bravefox May 24, 2012 1:10 PM (in response to jaikiran)jaikiran pai, can I flush just only one user from cache? In the future will be connected to a large number of clients to server. And flushing the cache, I think, will lead to large losses in performance. Or am I mistaken? I'm just a beginner in this issue.
-
3. Re: Authentication cache + Roles + Database = Problem
lszymik May 24, 2012 3:16 PM (in response to bravefox)1 of 1 people found this helpfulI am flushing security context with such code:
final ModelControllerClient client = ModelControllerClient.Factory.create(LOCALHOST_ADDRESS, 9999
try {
final ModelNode address = new ModelNode();
address.add(SUBSYSTEM, SECURITY_SUBSYSTEM);
address.add(SECURITY_DOMAIN, ServiceIdentities.SECURITY_CONTEXT_NAME);
final ModelNode operation = new ModelNode();
operation.get(OPERATION).set(OPERATION_FLUSH_CACHE);
operation.get(ADDRESS).set(address);
final ModelNode result = client.execute(operation);
if (!SUCCESS.equals(result.get(OUTCOME).asString())) {
throw new Exception();
}
}
finally {
if (client != null) {
client.close();
}
}
And couple of constants in class:
private static final String OUTCOME = "outcome";
private static final String SUCCESS = "success";
private static final String ADDRESS = "address";
private static final String OPERATION_FLUSH_CACHE = "flush-cache";
private static final String OPERATION = "operation";
private static final String SECURITY_DOMAIN = "security-domain";
private static final String SECURITY_SUBSYSTEM = "security";
private static final String SUBSYSTEM = "subsystem";
private static final String LOCALHOST_ADDRESS = "localhost";
I have integrated that class in entity which represents user's roles. Each time user is changed in DB (for instance role is added or removed) the security cache is flushed. This is rather rare use case with changing user's roles so I do not see any performance issues.
-
4. Re: Authentication cache + Roles + Database = Problem
jaikiran May 25, 2012 2:25 AM (in response to bravefox)makar potekhin wrote:
jaikiran pai, can I flush just only one user from cache? In the future will be connected to a large number of clients to server. And flushing the cache, I think, will lead to large losses in performance. Or am I mistaken? I'm just a beginner in this issue.
There isn't a per user cache flush. It's per security domain. And like Lukasz says, changing roles at runtime isn't something that happens often and I don't really expect a performance issue here.
-
5. Re: Authentication cache + Roles + Database = Problem
jaikiran May 25, 2012 2:26 AM (in response to lszymik)By the way, if you don't want to use CLI or your own custom code to invoke that operation, you can always use the admin console that's shipped in AS7 to flush the security cache.
-
6. Re: Authentication cache + Roles + Database = Problem
bravefox May 25, 2012 4:16 AM (in response to bravefox)jaikiran pai and Lukasz Szymik, your answers were very helpful, thank you. Lukasz Szymik`s example works perfectly on the client side with the addition of the missing libraries. But when I put this code in the EJB method, the error occurs - java.lang.ClassNotFoundException: org.jboss.as.controller.client.ModelControllerClient $ Factory from [Module "deployment.ejb-example. Jar: main" from Service Module Loader].
What am I doing wrong? Or is there any alternatives to this code to use on the server side? -
7. Re: Authentication cache + Roles + Database = Problem
jaikiran May 25, 2012 5:46 AM (in response to bravefox)Actually, it turns out you can indeed flush the cache per username. See this thread for details https://community.jboss.org/message/614696#614696. It even has the solution for your ClassNotFoundException.
-
8. Re: Authentication cache + Roles + Database = Problem
lszymik May 25, 2012 5:49 AM (in response to bravefox)Indeed I have forgot to mention that MANIFEST.MF has to contain such entry:
Manifest-Version: 1.0
Dependencies: org.jboss.as.controller-client,org.jboss.dmr
-
9. Re: Authentication cache + Roles + Database = Problem
bravefox May 25, 2012 12:55 PM (in response to bravefox)I gathered all together. It is work. Thank you guys for your help