9 Replies Latest reply on May 25, 2012 12:55 PM by makar potekhin

    Authentication cache + Roles + Database = Problem

    makar potekhin Newbie

      Hi there,

      I have a problem (AS 7.1.1). Explain what could be the reason. Simple remote standalone application. Connection is as follows:

              Properties properties = new Properties();

              properties.put("endpoint.name", "client-endpoint");

              properties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

              properties.put("remote.connections", "default");

              properties.put("remote.connection.default.host", "localhost");

              properties.put("remote.connection.default.port", "4447");

              properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

              properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");

              properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

              properties.put("remote.connection.default.username", user);

              properties.put("remote.connection.default.password", password);

              EJBClientConfiguration configuration = new PropertiesBasedEJBClientConfiguration(properties);

              ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(configuration);

              EJBClientContext.setSelector(selector);

       

      Login module in security doman is "Database" and cache-type="default". User successfully login, and then close application.

      I change roles for that user. And user login again. Authentication mechanism was successfully completed. But user still has old roles (auth-cache bug?).  How I can update roles for current user?

       

      Sorry for my English :]

        • 1. Re: Authentication cache + Roles + Database = Problem
          jaikiran pai Master

          Roles are cached server side. So you will have to flush the roles cache after you change the roles. You can do this via the management operation. CLI is a tool which you can use to invoke that management operation:

           

          /subsystem=security/security-domain=Database:flush-cache

           

          where "Database" is the security-domain name.

          1 of 1 people found this helpful
          • 2. Re: Authentication cache + Roles + Database = Problem
            makar potekhin Newbie

            jaikiran pai, can I flush just only one user from cache? In the future  will be connected to a large number of clients to server. And flushing the cache, I think, will lead to large losses in performance. Or am I mistaken? I'm just a beginner in this issue.

            • 3. Re: Authentication cache + Roles + Database = Problem
              Lukasz Szymik Newbie

              I am flushing security context with such code:

               

                         final ModelControllerClient client = ModelControllerClient.Factory.create(LOCALHOST_ADDRESS, 9999

                          try {

                              final ModelNode address = new ModelNode();

                              address.add(SUBSYSTEM, SECURITY_SUBSYSTEM);

                              address.add(SECURITY_DOMAIN, ServiceIdentities.SECURITY_CONTEXT_NAME);

               

               

                              final ModelNode operation = new ModelNode();

                              operation.get(OPERATION).set(OPERATION_FLUSH_CACHE);

                              operation.get(ADDRESS).set(address);

               

                              final ModelNode result = client.execute(operation);

               

                              if (!SUCCESS.equals(result.get(OUTCOME).asString())) {

                                  throw new Exception();

                              }

                          }

                          finally {

                              if (client != null) {

                                  client.close();

                              }

                          }

               

              And couple of constants in class:

               

                  private static final String OUTCOME = "outcome";

               

                  private static final String SUCCESS = "success";

               

                  private static final String ADDRESS = "address";

               

                  private static final String OPERATION_FLUSH_CACHE = "flush-cache";

               

                  private static final String OPERATION = "operation";

               

                  private static final String SECURITY_DOMAIN = "security-domain";

               

                  private static final String SECURITY_SUBSYSTEM = "security";

               

                  private static final String SUBSYSTEM = "subsystem";

               

                  private static final String LOCALHOST_ADDRESS = "localhost";

               

              I have integrated that class in entity which represents user's roles. Each time user is changed in DB (for instance role is added or removed) the security cache is flushed. This is rather rare use case with changing user's roles so I do not see any performance issues.

              1 of 1 people found this helpful
              • 4. Re: Authentication cache + Roles + Database = Problem
                jaikiran pai Master

                makar potekhin wrote:

                 

                jaikiran pai, can I flush just only one user from cache? In the future  will be connected to a large number of clients to server. And flushing the cache, I think, will lead to large losses in performance. Or am I mistaken? I'm just a beginner in this issue.

                There isn't a per user cache flush. It's per security domain. And like Lukasz says, changing roles at runtime isn't something that happens often and I don't really expect a performance issue here.

                • 5. Re: Authentication cache + Roles + Database = Problem
                  jaikiran pai Master

                  By the way, if you don't want to use CLI or your own custom code to invoke that operation, you can always use the admin console that's shipped in AS7 to flush the security cache.

                  • 6. Re: Authentication cache + Roles + Database = Problem
                    makar potekhin Newbie

                    jaikiran pai and Lukasz Szymik, your answers were very helpful, thank you. Lukasz Szymik`s example  works perfectly on the client side with the addition of the missing libraries. But when I put this code in  the EJB  method, the error occurs - java.lang.ClassNotFoundException: org.jboss.as.controller.client.ModelControllerClient $ Factory from [Module "deployment.ejb-example. Jar: main" from Service Module Loader].
                    What am I doing wrong? Or is there any alternatives to this code to use on the server side?

                    • 7. Re: Authentication cache + Roles + Database = Problem
                      jaikiran pai Master

                      Actually, it turns out you can indeed flush the cache per username. See this thread for details https://community.jboss.org/message/614696#614696. It even has the solution for your ClassNotFoundException.

                      • 8. Re: Authentication cache + Roles + Database = Problem
                        Lukasz Szymik Newbie

                        Indeed I have forgot to mention that MANIFEST.MF has to contain such entry:

                         

                        Manifest-Version: 1.0

                        Dependencies: org.jboss.as.controller-client,org.jboss.dmr

                        • 9. Re: Authentication cache + Roles + Database = Problem
                          makar potekhin Newbie

                          I gathered all together.  It is work. Thank you guys for your help