2 Replies Latest reply on Jun 17, 2014 12:07 PM by Marc Boorshtein

    How does user management in jBPM work?  Are sessions cached?

    Marc Boorshtein Newbie

      All,

       

      I recently setup the jBPM6 demo and integrated it with an SSO solution that provides the user's login id and roles from a login module & valve.  The SSO part works perfectly, but I've noticed an odd sequence.  If I:

      1. Login with an account with the roles "admin" and "HR" and click on my id in the upper right hand corner I see both "admin" and "HR" listed as roles
      2. Logout (including a logout to jBPM/JBoss)
      3. Change my user's account permissions to "user" and "IT"
      4. Login again with the same account
      5. Click on my id in the upper right hand corner and see the roles "user" and "IT" listed

       

      This is as I would expect.  The user has a new set of roles so those roles are shown.  However, if I now were to:

      1. Delete all cookies in my browser (thus "ending" my session)
      2. Change the user's permissions by
        1. removing the user and IT roles
        2. adding the admin role
      3. Login to jBPM6 and click on my user id in the upper right hand corner and "user" and "IT" are still listed
        • 1. Re: How does user management in jBPM work?  Are sessions cached?
          Kris Verlaenen Master

          Do you see the same behavior with the default configuration (not using your custom SSO config)? Which as are you using?

          • 2. Re: How does user management in jBPM work?  Are sessions cached?
            Marc Boorshtein Newbie

            Its a proprietary SSO system that passes the user and role information in through an encrypted header.  The valve decrypts the header and creates the appropriate principal objects.  A login module then passes those objects back to JBoss (login module is an implementation of UsernamePasswordLoginModule).  I have verified the following use cases:

             

            1.  Restarting the SSO system, but not JBoss does NOT effect the behavior

            2.  Restarting JBoss, but not the SSO system causes the session to reflect the correct roles

             

            I've also verified that getRoleSets() in the login module is returning the correct set of roles.  What I don't know is if the issue is in JBoss or JBPM.  I don't think you could reproduce this using the standard "other" security domain because don't you need to restart JBoss for changes to the text files containing the user's groups to take effect?  That would clear out the "cache" if it does exist. 

             

            I "broke" my test system for now but once I have it working again I'll post the logs for additional context.