1 2 Previous Next 15 Replies Latest reply on Mar 25, 2014 4:34 PM by Darren Jones

    In JBoss AS 7, how to set JAAS default cache timeout?

    xiang yingbing Master

      Dear all,

       

           In JBoss AS 7, how to set JAAS default cache timeout?

       

       

      In jboss 5, we can set it in jboss-service.xml:

       

        <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"

              ...

            <attribute name="DefaultCacheTimeout">60</attribute>

            <attribute name="DefaultCacheResolution">30</attribute>

            ....

         </mbean>

       

       

      But how to set it in jboss as 7 standalone.xml?

       

      Can I set it in bellow element?

              <security-realm name="ApplicationRealm">
                  <authentication>
                      <jaas name="bean-sec-domain"/>
                  </authentication>
              </security-realm>

       

       

      I tried to read dtd from java\jboss-as-7.1.1.Final\docs\schema, but do NOT know read which one.

      There are so many files!

        • 1. Re: In JBoss AS 7, how to set JAAS default cache timeout?
          xiang yingbing Master

          All examples about jboss 7 JAAS on network do NOT mention this issue.

           

          If there is a standalone.dtd, it will be better.

           

          Please help me, Thank you in advance.

          • 2. Re: In JBoss AS 7, how to set JAAS default cache timeout?
            xiang yingbing Master

            I am reading jboss-as-config_1_2.xsd, I hope it is the right one.

            • 3. Re: In JBoss AS 7, how to set JAAS default cache timeout?
              xiang yingbing Master

              There is only one attribute "name" defined for jaasAuthenticationType.

              • 4. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                Darran Lofthouse Master

                If you are configuring the security subsystem you need to be looking at the 'jboss-as-security_1_*.xsd' as that is the one specific to the subsystem - the config you are looking at is the general top level schema.

                1 of 1 people found this helpful
                • 5. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                  kieselhorst Newbie

                  I found out that cache-type="default" has to be set to enable caching. An alternative would be "infinispan". Unfortunately I've found nothing on configuring these variants, only that it can be disabled by removing the cache-type attribute.

                  • 6. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                    Artur Mioduszewski Newbie

                    Have you get an idea how to configure infinispan cache ?

                     

                    I get a strange situation:

                    • when cache-type="default"  in  security-domain -> authentication works correctly.
                    • when I use below configuration -> I am not able to login (on JBoss console there are not any errors)

                     

                    ======

                    ...

                    <security-domain name="myJaasDomain" cache-type="infinispan">

                    ...

                    <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="web">

                                <cache-container name="cluster" aliases="ha-partition" default-cache="default">

                                    <transport lock-timeout="60000"/>

                                    <replicated-cache name="default" mode="SYNC" batching="true">

                                        <locking isolation="REPEATABLE_READ"/>

                                    </replicated-cache>

                                </cache-container>

                                <cache-container name="web" aliases="standard-session-cache" default-cache="repl">

                                    <transport lock-timeout="60000"/>

                                    <replicated-cache name="repl" mode="ASYNC" batching="true">

                                        <file-store/>

                                    </replicated-cache>

                                    <replicated-cache name="sso" mode="SYNC" batching="true"/>

                                    <distributed-cache name="dist" mode="ASYNC" batching="true">

                                        <file-store/>

                                    </distributed-cache>

                                </cache-container>

                                <cache-container name="ejb" aliases="sfsb sfsb-cache" default-cache="repl">

                                    <transport lock-timeout="60000"/>

                                    <replicated-cache name="repl" mode="ASYNC" batching="true">

                                        <file-store/>

                                    </replicated-cache>

                                    <replicated-cache name="remote-connector-client-mappings" mode="SYNC" batching="true"/>

                                    <distributed-cache name="dist" mode="ASYNC" batching="true">

                                        <file-store/>

                                    </distributed-cache>

                                </cache-container>

                                <cache-container name="hibernate" default-cache="local-query">

                                    <transport lock-timeout="60000"/>

                                    <local-cache name="local-query">

                                        <transaction mode="NONE"/>

                                        <expiration max-idle="100000"/>

                                    </local-cache>

                                    <invalidation-cache name="entity" mode="SYNC">

                                        <transaction mode="NON_XA"/>

                                        <expiration max-idle="100000"/>

                                    </invalidation-cache>

                                    <replicated-cache name="timestamps" mode="ASYNC">

                                        <transaction mode="NONE"/>

                                    </replicated-cache>

                                </cache-container>

                            </subsystem>

                    ...

                    ======

                     

                    Have you get any idea, what is wrong in my configuration ?

                     

                    Regards,

                    Artur

                    • 7. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                      Darren Jones Newbie

                      I know this is an old thread, but I found the answer to this one hard to find, so thought I'd post here for others.

                       

                      Authentication cache setup is described here:

                       

                      [AS7-322] Add authentication cache for standalone server - JBoss Issue Tracker

                       

                      So basically, you need something like this in your infinispan subsystem configuration (this is for wildfly, should work similarly in AS7 too). Authentication is cached for 10 seconds in this example. The "security" and "auth-cache" strings must be used:

                       

                           <subsystem xmlns="urn:jboss:domain:infinispan:2.0">

                                  <cache-container name="security" aliases="standard-security-cache" default-cache="auth-cache" module="org.wildfly.clustering.web.infinispan">

                                      <local-cache name="auth-cache" batching="true">

                                          <expiration lifespan="10000"/>

                                      </local-cache>

                                  </cache-container>

                                ...

                      1 of 1 people found this helpful
                      • 9. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                        Artur Mioduszewski Newbie

                        Thanks Darren.

                         

                        For JBoss EAP 6.1 below standalone.xml configuration somehow works:

                         

                        ------------------------------------------------------------------------------------------------------

                        ...

                        <subsystem xmlns="urn:jboss:domain:infinispan:1.4">

                        <cache-container name="security" default-cache="auth-cache">

                        </cache-container>

                        ...

                        <security-domain name="myJaasDomain" cache-type="infinispan">

                        ...

                        ------------------------------------------------------------------------------------------------------

                        • 10. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                          Tiago Rico Newbie

                          Hi,

                          Any news on this?! Also googled solutions on this and found nothing on the web!

                          Also tried the example here descrived and the solution will not work on AS7.1.1 Final!


                          Cheers

                          • 11. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                            xiang yingbing Master

                            You can refresh somebody's data in JAAS cache or refresh whole JAAS cache by programm:

                             

                             

                            @Stateless

                            @Local(IJaasCacheSession.class)

                            public class JaasCacheSession implements IJaasCacheSession{

                                Logger log = Logger.getLogger(JaasCacheSession.class.getName());

                             

                                @EJB

                                ICoreService coreService;

                             

                                @PermitAll()

                                public void flushJaasCache(String securityDomain) {

                                    try {

                                        javax.management.MBeanServerConnection mbeanServerConnection

                                            = java.lang.management.ManagementFactory

                                                .getPlatformMBeanServer();

                                        javax.management.ObjectName mbeanName = new javax.management.ObjectName(

                                                "jboss.as:subsystem=security,security-domain="

                                                        + securityDomain);

                                        mbeanServerConnection.invoke(mbeanName, "flushCache", null, null);

                                    } catch (Exception e) {

                                        throw new SecurityException(e);

                                    }

                                }

                             

                                @PermitAll()

                                public void flushJaasCache(String securityDomain, String jaasUsername) {

                                    try {

                                        Object[] params = { jaasUsername };

                                        String[] signature = { "java.lang.String" };

                             

                                        javax.management.MBeanServerConnection mbeanServerConnection

                                            = java.lang.management.ManagementFactory

                                                .getPlatformMBeanServer();

                                        javax.management.ObjectName mbeanName = new javax.management.ObjectName(

                                                "jboss.as:subsystem=security,security-domain="

                                                        + securityDomain);

                                        mbeanServerConnection.invoke(mbeanName, "flushCache", params,

                                                signature);

                                    } catch (Exception e) {

                                        throw new SecurityException(e);

                                    }

                                }

                                @PermitAll()

                                public void flushJavaarmForumSecurityDomainJaasCache(){

                                    flushJaasCache(coreService.getJavaarmForumJaasSecurityDomain());

                                }

                             

                                @PermitAll()

                                public void flushJavaarmForumSecurityDomainJaasCache(String jaasUsername){

                                    flushJaasCache(coreService.getJavaarmForumJaasSecurityDomain(),jaasUsername);

                                }

                               

                            }

                            • 12. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                              Tiago Rico Newbie

                              Só It means there isnt a per container configuration?? You can only set it programagtly ? And do you know what is the diference between cache=default vs cache=infinispan? Isnt AS7 default cache implementation infinispan?

                              Thanks best regards

                              • 13. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                                Darren Jones Newbie

                                The AS7 default cache is not "infinispan" - it's a simple in-memory cache. The cache type must be explicitly set to "infinispan", and the corresponding "security" cache-container must be configured, as per the above examples (post 9 is probably the closest example for JBoss 7.1.1).

                                 

                                If this is not working, could you post your infinispan subsystem and security-domain configuration?

                                • 14. Re: In JBoss AS 7, how to set JAAS default cache timeout?
                                  Tiago Rico Newbie

                                  Hi Daren,

                                  Well I was trying to configure the default cache system! But I cannot find any example how to configuration JaasSecurityManagerService timeouts in JBoss7...

                                  Then I tried to move to infinispan.... but the it seams that the container simple bypass the cache-type="infinispan" and uses default! Wired...

                                   

                                  Here it is a test configuration:

                                   

                                           <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate">

                                              ......

                                              <cache-container name="security" default-cache="auth-cache">

                                                  <local-cache name="auth-cache" batching="true">

                                                      <expiration lifespan="30000"/>

                                                  </local-cache>

                                              </cache-container>

                                          </subsystem>

                                   

                                  then on security domains:

                                                 <security-domain name="QualificationRealm" cache-type="default">

                                                      <authentication>

                                                          <login-module code="Kerberos" flag="required">

                                                              <module-option name="storeKey" value="true"/>

                                                              <module-option name="useKeyTab" value="true"/>

                                                              <module-option name="principal" value="HTTP/ONCALL.qualification.loc@QUALIFICATION.LOC"/>

                                                              <module-option name="keyTab" value="D:\web-servers\jboss-as-7.1.1.final-oncall\standalone\configuration\sso\oncall.keytab"/>

                                                              <module-option name="doNotPrompt" value="true"/>

                                                              <module-option name="debug" value="true"/>

                                                          </login-module>

                                                      </authentication>

                                                  </security-domain>

                                                  <security-domain name="OncallRealm" cache-type="infinispan">

                                                      <authentication>

                                                          <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">

                                                              <module-option name="password-stacking" value="useFirstPass"/>

                                                              <module-option name="serverSecurityDomain" value="QualificationRealm"/>

                                                              <module-option name="removeRealmFromPrincipal" value="true"/>

                                                          </login-module>

                                                          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

                                                              <module-option name="password-stacking" value="useFirstPass"/>

                                                              <module-option name="dsJndiName" value="java:jboss/datasources/oncall"/>

                                                              <module-option name="principalsQuery" value="select USERID from ONCALL_USER where lower(LOGIN)=lower(?) and ACTIVE = 1"/>

                                                              <module-option name="rolesQuery" value="select 'ONCALL_USER', 'Roles' from ONCALL_USER where lower(LOGIN)=lower(?)"/>

                                                          </login-module>

                                                      </authentication>

                                                  </security-domain>

                                   

                                  From my tests, this configuration still uses default cache timeout, wich is 30 minutes... and not he 30 seconds I've configured in infinispan...

                                   

                                  Well I wanted two know two things....

                                  How can I configure the JaasSecurityManagerService in Jboss7 or how can I set the default cache timeout?

                                  What is missing from my configuration so that SPNEGOLoginModule and DatabaseServerLoginModule start to use infinispan!?

                                   

                                  Thank you very much

                                  1 2 Previous Next