2 Replies Latest reply on Jun 17, 2014 12:07 PM by bigman921

    How does user management in jBPM work?  Are sessions cached?

    bigman921
    bigman921 Jun 15, 2014 11:19 PM

      All,

       

      I recently setup the jBPM6 demo and integrated it with an SSO solution that provides the user's login id and roles from a login module & valve.  The SSO part works perfectly, but I've noticed an odd sequence.  If I:

      1. Login with an account with the roles "admin" and "HR" and click on my id in the upper right hand corner I see both "admin" and "HR" listed as roles
      2. Logout (including a logout to jBPM/JBoss)
      3. Change my user's account permissions to "user" and "IT"
      4. Login again with the same account
      5. Click on my id in the upper right hand corner and see the roles "user" and "IT" listed

       

      This is as I would expect.  The user has a new set of roles so those roles are shown.  However, if I now were to:

      1. Delete all cookies in my browser (thus "ending" my session)
      2. Change the user's permissions by
        1. removing the user and IT roles
        2. adding the admin role
      3. Login to jBPM6 and click on my user id in the upper right hand corner and "user" and "IT" are still listed
        • 1. Re: How does user management in jBPM work?  Are sessions cached?
          krisverlaenen
          krisverlaenen Jun 17, 2014 11:25 AM (in response to bigman921)

          Do you see the same behavior with the default configuration (not using your custom SSO config)? Which as are you using?

            • Actions
          • 2. Re: How does user management in jBPM work?  Are sessions cached?
            bigman921
            bigman921 Jun 17, 2014 12:07 PM (in response to krisverlaenen)

            Its a proprietary SSO system that passes the user and role information in through an encrypted header.  The valve decrypts the header and creates the appropriate principal objects.  A login module then passes those objects back to JBoss (login module is an implementation of UsernamePasswordLoginModule).  I have verified the following use cases:

             

            1.  Restarting the SSO system, but not JBoss does NOT effect the behavior

            2.  Restarting JBoss, but not the SSO system causes the session to reflect the correct roles

             

            I've also verified that getRoleSets() in the login module is returning the correct set of roles.  What I don't know is if the issue is in JBoss or JBPM.  I don't think you could reproduce this using the standard "other" security domain because don't you need to restart JBoss for changes to the text files containing the user's groups to take effect?  That would clear out the "cache" if it does exist. 

             

            I "broke" my test system for now but once I have it working again I'll post the logs for additional context.

              • Actions