9 Replies Latest reply on Apr 10, 2014 9:27 AM by yersan

    Wildfly security domain doesn't flush roles after logout in a web application

    rafael.silvestri
    rafael.silvestri Mar 20, 2014 2:23 PM

      I have a Database login module in my Wildfly 8.0.0.Final. My problem is that when I login with a user and change your roles, even logout and login again the roles are not changed. I need stop and start the server for user get the new roles.

      When I remove "cache-type=default" from the standalone-full.xml in wildfly it works, but for every action made on the side the login method in the authentication module is called which is very bad.

      In the jboss-web.xml the parameter flushOnSessionInvalidation="true" seems to be the right answer to this problem, but it has no effect.

      This is the same question:  http://stackoverflow.com/questions/21931637/wildfly-caches-roles-after-logout-in-a-web-application

      Thank you for any help!

        • 1. Re: Wildfly security domain doesn't flush roles after logout in a web application
          ctomc
          ctomc Mar 20, 2014 6:29 PM (in response to rafael.silvestri)
          <valve>
                       <class-name>utils.MyAuthenticator</class-name>
          </valve>

          in jboss-web.xml does noting and is ignored in WildFly, you can remove it.

           

          Are you sure session was properly invalidated?

          To monitor that, you can add SessionListener in which you will get event on session create/destroy.

            • Actions
          • 2. Re: Wildfly security domain doesn't flush roles after logout in a web application
            rafael.silvestri
            rafael.silvestri Mar 21, 2014 9:02 AM (in response to ctomc)

            Actually, i have a default "Database" login module and i don't have any valve in jboss-web.xml.

            I'm sure that my session is really invalidated. It's work fine in jboss-as-7.0.1

            Below i show my configuration.

             

            <security-domain name="DominioImovelRealm" cache-type="default">

                                <authentication>

                                    <login-module code="Database" flag="required">

                                        <module-option name="dsJndiName" value="java:/jdbc/MyDS"/>

                                        <module-option name="principalsQuery" value="SELECT PASSWORD FROM DBA.USERS WHERE USERNAME=?"/>

                                        <module-option name="rolesQuery" value="SELECT ROLE, 'Roles' FROM DBA.ROLES WHERE USERNAME=?"/>

                                        <module-option name="hashAlgorithm" value="SHA-256"/>

                                        <module-option name="hashEncoding" value="HEX"/>

                                    </login-module>

                             </authentication>

            </security-domain>

             

            Any idea?

            Thanks for your help.

              • Actions
            • 3. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
              lc1207h
              lc1207h Apr 7, 2014 9:40 PM (in response to rafael.silvestri)

              I am in the same boat here. I have set up a custom database login module and that works, but the logout functionality does not. I have pasted the relevant standalone.xml, jboss-web.xml and my servlet logout code. The issue is that the session does not get invalidated after logout. Using the same JSESSIONIDSSO cookie, the user can still access pages that require roles even after logging out.

               

              standalone.xml

              <security-domain name="myname-form" cache-type="default">
    <authentication>
        <login-module code="com.myname.DatabaseModLoginModule" flag="sufficient">
            <module-option name="securityDomain" value="jsse-myname"/>
            <module-option name="verifier" value="com.myname.MyVerifier"/>
            <module-option name="dsJndiName" value="java:/jdbc/myds"/>
            <module-option name="rolesQuery" value="exec h_Get_Roles ?"/>
        </login-module>
    </authentication>
</security-domain>

               

              jboss-web.xml

              <jboss-web>
  <security-domain flushOnSessionInvalidation="true">myname-form</security-domain>
  <valve>
    <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
  </valve>
  <context-root>/myname-form</context-root>
</jboss-web>

               

              LogoutServlet.java

              public class LogoutServlet extends HttpServlet {


  protected void doGet(HttpServletRequest request,
  HttpServletResponse response) throws ServletException, IOException {
    
  response.setHeader("Cache-Control", "no-cache, no-store");
  response.setHeader("Pragma", "no-cache");
  response.setHeader("Expires", new java.util.Date().toString());


  if (request.getSession(false) != null) {
   request.getSession(false).invalidate();
  }
  if (request.getSession() != null) {
   request.getSession().invalidate();
  }

  request.logout();
  response.sendRedirect(request.getScheme()+"://"+request.getServerName());
  }
}

               

              Is this something that is an issue with Wildfly or is something misconfigured here?

                • Actions
              • 4. Re: Wildfly security domain doesn't flush roles after logout in a web application
                jimarmol
                jimarmol Apr 4, 2014 5:31 PM (in response to lc1207h)

                Any luck guys???.  I am having the same problem. The credentials are only flushed when the server is restarted.

                  • Actions
                • 5. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
                  ctomc
                  ctomc Apr 4, 2014 8:02 PM (in response to lc1207h)

                  Can you try with wildfly nightly builds?

                   

                  We fixed lots of SSO related bugs for 8.0.1 which we plan to release in few days.

                   

                  You can grab nightly here https://community.jboss.org/thread/224262

                   

                  and please let us know if you are still seeing problems, so we might still have time to fix it for 8.0.1

                    • Actions
                  • 6. Re: Wildfly security domain doesn't flush roles after logout in a web application
                    jimarmol
                    jimarmol Apr 7, 2014 10:32 AM (in response to ctomc)

                    Hi Tomaz

                     

                    I downloaded the nightly build as you suggested, but still I am having the same issue. It looks like it has not been fixed yet.

                      • Actions
                    • 7. Re: Wildfly security domain doesn't flush roles after logout in a web application
                      renannp
                      renannp Apr 8, 2014 10:00 AM (in response to rafael.silvestri)

                      I'm facing the same issue with Wildfly 8.0.0.Final.

                      I also face an issue with j_security_check where sometimes it says that POST is not supported by j_security_check.

                      Maybe a bug should be open to track this issue, I think it is very critical feature that should be in 8.0.1.

                      Meanwhile I'll move to JBoss AS again...

                       

                      Thanks

                        • Actions
                      • 8. Re: Wildfly security domain doesn't flush roles after logout in a web application
                        jimarmol
                        jimarmol Apr 8, 2014 10:04 AM (in response to renannp)

                        Hi renannp

                         

                        I created a ticket for this : https://issues.jboss.org/browse/WFLY-3221. it would be a good idea if you add your comments to that ticket to see if it's assigned to a future version.

                          • Actions
                        • 9. Re: Wildfly security domain doesn't flush roles after logout in a web application
                          yersan
                          yersan Apr 10, 2014 9:27 AM (in response to jimarmol)

                          Hi all, maybe someone can be helped with this, as workaround we are cleaning the cache with this method in an EJB:

                           

                          private void flushAuthenticationCache(String userid) {

                                  try {

                                      final String domain = "your-policy-name";

                           

                                      ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + domain);

                                      Object[] params = {userid};

                                      String[] signature = {"java.lang.String"};

                                      MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);

                                      server.invoke(jaasMgr, "flushCache", params, signature);

                           

                                  } catch (MalformedObjectNameException | InstanceNotFoundException | MBeanException | ReflectionException ex) {

                                      Logger.getLogger(LoginService.class.getName()).log(Level.SEVERE, null, ex);

                                      throw new EJBException(ex);

                                  }

                              }

                            • Actions