2 Replies Latest reply on Oct 2, 2015 8:24 AM by vteferrer

Seems like Wildfly 9.0.1 is not flushing user credentials in session expiration

vteferrer Sep 30, 2015 2:50 AM

Hi,

We have an application running with SSO in Wildfly 8.2.0 and we are migrating it to 9.0.1. In 8.2.0 version we have explicit code for flush the user credentials after every logout, even controlling when the user closes the browser directly, across the close of a websocket that access programatically to the mbeans and invoke flushCache at the element jboss.as:subsystem=security,security-domain=own_security_domain:

public final class SessionUtil {


     private SessionUtil() { }



     public static void logout(Session session, CloseReason reason) 
        throws InstanceNotFoundException, MalformedObjectNameException, ReflectionException, MBeanException {
          CloseReason.CloseCode closeReason = reason != null ? reason.getCloseCode() : null;
              if (Op.in(
                   closeReason, 
                    CloseReason.CloseCodes.GOING_AWAY, 
                    CloseReason.CloseCodes.CLOSED_ABNORMALLY, 
                    CloseReason.CloseCodes.NORMAL_CLOSURE)) {

                    SessionUtil.flushAuthenticationCache(session.getUserPrincipal().getName());
               }
     }

     private static void flushAuthenticationCache(String userId) throws Instance
         NotFoundException, ReflectionException, MBeanException, MalformedObjectNameException {

         ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + AUTH_REALM_NAME);
         MBeanServer server = MBeanServerFactory.findMBeanServer(null).get(0);
         server.invoke(jaasMgr, "flushCache", new Object[]{userId}, new String[]{"java.lang.String"});
     }
}

The websocket close invoke this method:

@ServerEndpoint(value = "/websocket")
public class SessionWebsocket {
    @OnClose
    public void close(Session session, CloseReason reason)
                  throws InstanceNotFoundException, MalformedObjectNameException, ReflectionException, MBeanException {
          SessionUtil.logout(session, reason);
    }
}

There is a wildfly issue marked as Done in 9.0.0.Beta1 https://issues.jboss.org/browse/WFLY-3221, we thought we could remove this workaround now in 9.0.1 but the problem remains.

It seems that the issue is not really solved because:

Login to the application (a JAAS module loads the user groups from Database)
Modify the user roles in database. For this test, I remove a role for the user, let say the role identified by XXX
Wait the session-timeout for logout
Press F5. Wildfly ask the login again, redirecting me to the login form.
Login again.
After the login, I call ctx.isCallerInRole("XXX"). It returns an incorrect value (in fact, the method responds "true", as if the user had the role, but we removed it in step 2) because the login process has not reloaded the user credentials.

Are we doing something wrong or maybe the referenced jira issue has not been really solved?

Thanks in advance.

1. Re: Seems like Wildfly 9.0.1 is not flushing user credentials in session expiration

mchoma Oct 2, 2015 6:12 AM (in response to vteferrer)

Still can be this issue [WFLY-5422] SSO is not destroyed after session timeout period of <distributable/> app. - JBoss Issue Tracker

Martin
Actions
2. Re: Seems like Wildfly 9.0.1 is not flushing user credentials in session expiration

vteferrer Oct 2, 2015 8:24 AM (in response to mchoma)

Yes this issue seems similar than ours. But our environment is not really clustered, we're ussing SSO with standalone.full.xml profile and we don't have <distributable/> in our web.xml files. Despite this, could be the same issue?

Thanks!
Actions

Go to original post