2 Replies Latest reply on Oct 2, 2015 8:24 AM by Vicente Ferrer Gilabert

    Seems like Wildfly 9.0.1 is not flushing user credentials in session expiration

    Vicente Ferrer Gilabert Newbie

      Hi,

       

      We have an application running with SSO in Wildfly 8.2.0 and we are migrating it to 9.0.1. In 8.2.0 version we have explicit code for flush the user credentials after every logout, even controlling when the user closes the browser directly, across the close of a websocket that access programatically to the mbeans and invoke flushCache at the element jboss.as:subsystem=security,security-domain=own_security_domain:

       

      public final class SessionUtil {
      
      
           private SessionUtil() { }
      
      
      
           public static void logout(Session session, CloseReason reason) 
              throws InstanceNotFoundException, MalformedObjectNameException, ReflectionException, MBeanException {
                CloseReason.CloseCode closeReason = reason != null ? reason.getCloseCode() : null;
                    if (Op.in(
                         closeReason, 
                          CloseReason.CloseCodes.GOING_AWAY, 
                          CloseReason.CloseCodes.CLOSED_ABNORMALLY, 
                          CloseReason.CloseCodes.NORMAL_CLOSURE)) {
      
                          SessionUtil.flushAuthenticationCache(session.getUserPrincipal().getName());
                     }
           }
      
           private static void flushAuthenticationCache(String userId) throws Instance
               NotFoundException, ReflectionException, MBeanException, MalformedObjectNameException {
      
               ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + AUTH_REALM_NAME);
               MBeanServer server = MBeanServerFactory.findMBeanServer(null).get(0);
               server.invoke(jaasMgr, "flushCache", new Object[]{userId}, new String[]{"java.lang.String"});
           }
      }
      
      

       

      The websocket close invoke this method:

       

      @ServerEndpoint(value = "/websocket")
      public class SessionWebsocket {
          @OnClose
          public void close(Session session, CloseReason reason)
                        throws InstanceNotFoundException, MalformedObjectNameException, ReflectionException, MBeanException {
                SessionUtil.logout(session, reason);
          }
      }
      
      

       

      There is a wildfly issue marked as Done in 9.0.0.Beta1 https://issues.jboss.org/browse/WFLY-3221, we thought we could remove this workaround now in 9.0.1 but the problem remains.

       

      It seems that the issue is not really solved because:

      1. Login to the application (a JAAS module loads the user groups from Database)
      2. Modify the user roles in database. For this test, I remove a role for the user, let say the role identified by XXX
      3. Wait the session-timeout for logout
      4. Press F5. Wildfly ask the login again, redirecting me to the login form.
      5. Login again.
      6. After the login, I call ctx.isCallerInRole("XXX"). It returns an incorrect value (in fact, the method responds "true", as if the user had the role, but we removed it in step 2) because the login process has not reloaded the user credentials.

       

      Are we doing something wrong or maybe the referenced jira issue has not been really solved?

       

      Thanks in advance.