9 Replies Latest reply on Oct 5, 2001 6:02 AM by willievu

    Refresh user roles

    willievu

      In my system, it is possible that user roles are changed dynamically. So, I need a way to change user roles. Currently I'm using the database server login module. It seems like user roles are cached. How do I refresh user role cache?

        • 1. CMR and too many parameters in delete sql statement
          willievu

          Hi,

          I'm sure this issue has been adressed somewhere, but I just could not find it.

          I have a problem with Sybase and CMR. Sybase does not like to have more than 300 parameters in one SQL statement. When I delete many CMR relations inside one transaction it fails because generated delete statement has too many parameters.

          For example code like this:

          userTransaction.begin();
          UserLocal ul = getUser();
          GroupLocal parent = getParentGroup();
          Iterator gIter=parent.getChildGroups().iterator();
          while (gIter.hasNext()) {
           GroupLocal gl=(GroupLocal) gIter.next();
           ul.getGroups().remove(gl);
          }
          userTransaction.commit();
          


          Generated SQL statement is something like "DELETE FROM user_group_member WHERE (fk_user=? AND fk_group=?) OR (fk_user=? AND fk_group=?) OR (fk_user=? AND fk_group=?) OR ..." and so on.

          Is there a way to limit the amount of parameters in one DELETE statement and run multiple smaller statements instead of one big statement?

          Br,
          Pekka


          • 2. Re: Refresh user roles
            starksm64

            In 2.4+ there is a flushAuthenticationCache(String securityDomain) method on the org.jboss.security.plugins.JaasSecurityManagerServiceMBean that can be used to flush any security domain cache.

            • 3. Re: Refresh user roles
              willievu

              Per http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ even if you flush authentication caches, ( how do you achieve this without tampering on
              jboss source? ) clients still have principal/credentila information stored. And they will use it on the next EJB invocation.

              Is there a way to workaround the above problem as well?

              • 4. Re: Refresh user roles
                willievu

                > In 2.4+ there is a flushAuthenticationCache(String
                > securityDomain) method on the
                > org.jboss.security.plugins.JaasSecurityManagerServiceM
                > ean that can be used to flush any security domain
                > cache.

                How do I call this method at runtime?

                • 5. Re: Refresh user roles
                  iceryx

                  I have exactly the same problem. I am thinking about writing a custom LoginModule that subclasses UsernamePasswordLoginModule, as described in http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html, but I don't know if this would even solve the problem. I think it would, but I don't know if the Roles are being cached *inside* the DatabaseServerLoginModule, or somewhere *outside* of it. Does anyone know?

                  • 6. Re: Refresh user roles

                    I do call the flushAuthenticationCache method like this. There possibly is a better way, but this is my first try to work with JMX, however it works for me.

                    import javax.management.*;
                    
                    ...
                    
                    java.util.ArrayList servers =
                     BeanServerFactory.findMBeanServer(null);
                    if (servers.size() != 1)
                     throw new EJBException("Not exactly one server found");
                    MBeanServer mbeanServer = (MBeanServer) servers.get(0);
                    
                    String[] params = { "yourSecurityDomainName" };
                    String[] signature = { "java.lang.String" };
                    try {
                     ObjectName name = new ObjectName("Security", "name",
                     "JaasSecurityManager");
                     mbeanServer.invoke(name, "flushAuthenticationCache", params,
                     signature);
                    } catch (Exception e) {
                     e.printStackTrace();
                     throw new EJBException(e);
                    }
                    



                    • 7. Re: Refresh user roles
                      starksm64

                      Roles are cached outside of the login modules by the JaasSecurityManger.

                      • 8. 3823986
                        iceryx

                        I tried lothar's code to flush the authentication cache, and it worked! I used it from within a servlet that is updating the user roles in the database, and now the user roles are truly dynamic. As a minor note, there was one typo - BeanServerFactory should be MBeanServerFactory. Also, the javax.management package is located in <jboss-home>/lib/jmxri.jar.

                        • 9. 134431
                          willievu

                          > The code does work...to some extent. It looks like,
                          > after flushing, existing users either lose their
                          > security context, or JBoss logs in previous users as
                          > 'nobody' on the users' behalf. The reason I believe
                          > JBoss uses 'nobody' is that I see "User 'nobody'
                          > authenticated" in the console. Note that I'm using
                          > DatabaseServerLoginModule and 'nobody' as the
                          > unauthenticatedIdentity.
                          >

                          The 'nobody' message is actually caused by a message driven bean logging in. Silly me. Please ignore this 'nobody' nonsense.

                          Here is a more detailed scenario that describes the problem I see here. I use a message driven bean to flush the cache once it receives a message from another entity bean. Say I logged in from a web application successfully (I'm running JBoss 2.4.3-Tomcat 4.0). Then, I use an EJB client to force the entity bean to send a message to the message driven bean. Now the JBoss realm is flushed. Then I go back to the logged in session in web browser. When I access a link that I have roles to access, I got "HTTP 403 (Forbidden) - You are not authorized to view this page" error.

                          Any help?