9 Replies Latest reply on Apr 10, 2014 9:27 AM by yersan

    Wildfly security domain doesn't flush roles after logout in a web application

    Rafael Cechinel Silvestri Newbie

      I have a Database login module in my Wildfly 8.0.0.Final. My problem is that when I login with a user and change your roles, even logout and login again the roles are not changed. I need stop and start the server for user get the new roles.

      When I remove "cache-type=default" from the standalone-full.xml in wildfly it works, but for every action made on the side the login method in the authentication module is called which is very bad.

      In the jboss-web.xml the parameter flushOnSessionInvalidation="true" seems to be the right answer to this problem, but it has no effect.

      This is the same question:  http://stackoverflow.com/questions/21931637/wildfly-caches-roles-after-logout-in-a-web-application

      Thank you for any help!

        • 1. Re: Wildfly security domain doesn't flush roles after logout in a web application
          Tomaz Cerar Master
          <valve>
            
          <class-name>utils.MyAuthenticator</class-name>
          </valve>

          in jboss-web.xml does noting and is ignored in WildFly, you can remove it.

           

          Are you sure session was properly invalidated?

          To monitor that, you can add SessionListener in which you will get event on session create/destroy.

          • 2. Re: Wildfly security domain doesn't flush roles after logout in a web application
            Rafael Cechinel Silvestri Newbie

            Actually, i have a default "Database" login module and i don't have any valve in jboss-web.xml.

            I'm sure that my session is really invalidated. It's work fine in jboss-as-7.0.1

            Below i show my configuration.

             

            <security-domain name="DominioImovelRealm" cache-type="default">

                                <authentication>

                                    <login-module code="Database" flag="required">

                                        <module-option name="dsJndiName" value="java:/jdbc/MyDS"/>

                                        <module-option name="principalsQuery" value="SELECT PASSWORD FROM DBA.USERS WHERE USERNAME=?"/>

                                        <module-option name="rolesQuery" value="SELECT ROLE, 'Roles' FROM DBA.ROLES WHERE USERNAME=?"/>

                                        <module-option name="hashAlgorithm" value="SHA-256"/>

                                        <module-option name="hashEncoding" value="HEX"/>

                                    </login-module>

                             </authentication>

            </security-domain>

             

            Any idea?

            Thanks for your help.

            • 3. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
              Jason Kim Newbie

              I am in the same boat here. I have set up a custom database login module and that works, but the logout functionality does not. I have pasted the relevant standalone.xml, jboss-web.xml and my servlet logout code. The issue is that the session does not get invalidated after logout. Using the same JSESSIONIDSSO cookie, the user can still access pages that require roles even after logging out.

               

              standalone.xml

              <security-domain name="myname-form" cache-type="default">
                  <authentication>
                      <login-module code="com.myname.DatabaseModLoginModule" flag="sufficient">
                          <module-option name="securityDomain" value="jsse-myname"/>
                          <module-option name="verifier" value="com.myname.MyVerifier"/>
                          <module-option name="dsJndiName" value="java:/jdbc/myds"/>
                          <module-option name="rolesQuery" value="exec h_Get_Roles ?"/>
                      </login-module>
                  </authentication>
              </security-domain>
              
              

               

              jboss-web.xml

              <jboss-web>
                <security-domain flushOnSessionInvalidation="true">myname-form</security-domain>
                <valve>
                  <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
                </valve>
                <context-root>/myname-form</context-root>
              </jboss-web>
              
              

               

              LogoutServlet.java

              public class LogoutServlet extends HttpServlet {
              
              
                protected void doGet(HttpServletRequest request,
                HttpServletResponse response) throws ServletException, IOException {
                  
                response.setHeader("Cache-Control", "no-cache, no-store");
                response.setHeader("Pragma", "no-cache");
                response.setHeader("Expires", new java.util.Date().toString());
              
              
                if (request.getSession(false) != null) {
                 request.getSession(false).invalidate();
                }
                if (request.getSession() != null) {
                 request.getSession().invalidate();
                }
              
                request.logout();
                response.sendRedirect(request.getScheme()+"://"+request.getServerName());
                }
              }
              
              
              
              
              
              

               

              Is this something that is an issue with Wildfly or is something misconfigured here?

              • 4. Re: Wildfly security domain doesn't flush roles after logout in a web application
                Jorge Marmolejo Newbie

                Any luck guys???.  I am having the same problem. The credentials are only flushed when the server is restarted.

                • 5. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
                  Tomaz Cerar Master

                  Can you try with wildfly nightly builds?

                   

                  We fixed lots of SSO related bugs for 8.0.1 which we plan to release in few days.

                   

                  You can grab nightly here https://community.jboss.org/thread/224262

                   

                  and please let us know if you are still seeing problems, so we might still have time to fix it for 8.0.1

                  • 6. Re: Wildfly security domain doesn't flush roles after logout in a web application
                    Jorge Marmolejo Newbie

                    Hi Tomaz

                     

                    I downloaded the nightly build as you suggested, but still I am having the same issue. It looks like it has not been fixed yet.

                    • 7. Re: Wildfly security domain doesn't flush roles after logout in a web application
                      renannp Newbie

                      I'm facing the same issue with Wildfly 8.0.0.Final.

                      I also face an issue with j_security_check where sometimes it says that POST is not supported by j_security_check.

                      Maybe a bug should be open to track this issue, I think it is very critical feature that should be in 8.0.1.

                      Meanwhile I'll move to JBoss AS again...

                       

                      Thanks

                      • 8. Re: Wildfly security domain doesn't flush roles after logout in a web application
                        Jorge Marmolejo Newbie

                        Hi renannp

                         

                        I created a ticket for this : https://issues.jboss.org/browse/WFLY-3221. it would be a good idea if you add your comments to that ticket to see if it's assigned to a future version.

                        • 9. Re: Wildfly security domain doesn't flush roles after logout in a web application
                          yersan Newbie

                          Hi all, maybe someone can be helped with this, as workaround we are cleaning the cache with this method in an EJB:

                           

                          private void flushAuthenticationCache(String userid) {

                                  try {

                                      final String domain = "your-policy-name";

                           

                                      ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + domain);

                                      Object[] params = {userid};

                                      String[] signature = {"java.lang.String"};

                                      MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);

                                      server.invoke(jaasMgr, "flushCache", params, signature);

                           

                                  } catch (MalformedObjectNameException | InstanceNotFoundException | MBeanException | ReflectionException ex) {

                                      Logger.getLogger(LoginService.class.getName()).log(Level.SEVERE, null, ex);

                                      throw new EJBException(ex);

                                  }

                              }