2 Replies Latest reply on Feb 21, 2017 7:06 AM by simotuokko

How to configure Infinispan for PicketLink?

simotuokko Feb 20, 2017 7:35 AM

Hi,

We are trying to implement SSO with using picketlink in JBoss EAP 7.0.3.GA . We have configured following security-domain:

<security-domain name="idp">
<authentication>
<login-module code="com.myCompany.MySecureLogin" flag="required">
</login-module>
</authentication>
</security-domain>

With this configuration problem is that now several MySecureLogin.login method calls are made when user logs in.

We have tried changing cache-type to default and then MySecureLogin.login() method runs only once. But after user logs out and logs in again MySecureLogin.login() method is not run at all.

This we tried to resolve this by calling MBean's flushCache method in HTTPSessionListener.sessionDestroyed() but this didn't work in cluster environment.

<security-domain name="idp" cache-type="default">

Also we have tried to change cache-type to infinispan but when user logs out and logs in again MySecureLogin.login method is not run.

<security-domain name="idp" cache-type="infinispan">

We have also following configuration in infinispan subsystem :

<cache-container name="security" default-cache="auth-cache">
<local-cache name="auth-cache" jndi-name="true">
</local-cache>
</cache-container>

Does anyone know how to configure idp cache so that when user logs out cache entry would be removed? Or can cache entry be removed programmatically?

1. Re: How to configure Infinispan for PicketLink?

andey Feb 21, 2017 4:39 AM (in response to simotuokko)

Hi,

By default, cache-type of your security-domain is "default" which uses a ConcurrentHashMap implementation which never expire cached entries. However, when the HTTP session is invalidated, the cache entry is removed in EAP6 (not removed in EAP7).

change the cache-type to "infinispan" which uses Infinispan cache which has an expiration capability. Please change your security-domain to use Infinispan as follow:-

~~~
<security-domain name="exampleSecurityDomain" cache-type="infinispan">
~~~

and add the following lines to the infinispan subsystem configuration.

~~~
<cache-container name="security" default-cache="exampleCache">
<local-cache name="exampleSecurityDomain">
<eviction strategy="LRU" max-entries="1000"/>
<expiration lifespan="120000" max-idle="60000"/>
</local-cache>
</cache-container>
~~~

The cache container name should be "security" with a default cache named "exampleCache" (the name is free to choose). The local-cache name should be the name of your security-domain "exampleSecurityDomain". In the above example, strategy="LRU" means that entries are selected for eviction using a least-recently-used pattern, up to 1000 accounts are cached, expiration lifespan is 120000 msec, and max idle time is 60000 msec.
Actions
2. Re: How to configure Infinispan for PicketLink?

simotuokko Feb 21, 2017 7:06 AM (in response to andey)

We tried to change cache type to "infinispan" and made following change to infinispan subsystem (we tried also some other name for default-cache):
<cache-container name="security" default-cache="idp">
<local-cache name="idp">
<eviction strategy="LRU" max-entries="1000"/>
<expiration lifespan="6000" max-idle="3000"/>
</local-cache>
</cache-container>
At first login MySecureLogin.login() is called. Logout and some waiting and relogin no call to MySecureLogin.login() method is made.

I am not sure is this correct way to check infinispan cache but with jconsole's MBean operation jboss.as->security->idp->Operations->listCachedPricipals() we can see that one of the nodes has principal stored in cache. And it seems to stay there until jboss is restarted.
Actions

Go to original post