14 Replies Latest reply on Feb 2, 2005 1:03 PM by Jesse Wilson

    How do I flush the Jaas auth cache?

    Joel Shellman Newbie

      So I have a user cruising around the site and they do something that entitles them to a higher level of access--thus changing or adding to their roles in the database (I'm using the db login module). How do I make this take effect in the security manager so they can have immediate access to the other areas of the site? My understanding is that it just keeps hitting the cache and never goes back to check on the database again, so it doesn't get updated with the role changes. How can I get it to update?

      Thanks!

        • 1. Re: How do I flush the Jaas auth cache?
          Scott Stark Master

          import org.jboss.jmx.interfaces.RMIConnector;

          private static void flushAuthCache(String domain) throws Exception
          {
          String serverName = InetAddress.getLocalHost().getHostName();
          String connectorName = "jmx:" +serverName+ ":rmi";
          RMIConnector server = (RMIConnector) new InitialContext().lookup(connectorName);
          ObjectName jaasMgr = new ObjectName("Security:name=JaasSecurityManager");
          Object[] params = {domain};
          String[] signature = {"java.lang.String"};
          server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
          }

          • 2. Re: How do I flush the Jaas auth cache?
            Nicolas GANDRIAU Newbie

            I tryed this solution but received a bad exception :
            javax.management.InstanceNotFoundException: jboss.security:name=JaasSecurityManager is not registered.
            ......

            After a look into jboss-service.xml, I decided to replace "jboss.security:name=JaasSecurityManager" by "jboss.security:service=JaasSecurityManager" and the exception disepared and the cache was flushed.

            Hope it help.
            Nicolas






            • 3. Re: How do I flush the Jaas auth cache?
              zhan Newbie

              I tried following similar solution to flush the cache, but the strange thing is: it works if I invoke from jboss jmx-console, however, it does not work correctly if I invoke from the code.
              Can anybody tell me what's wrong? is it a jboss bug, or am I missing something? here is my flush function, it gets called after I change the user role in database:

              public void flushSecurityDomain() throws EMSServerException
              {
              java.util.ArrayList servers = MBeanServerFactory.findMBeanServer(null);
              if (servers.size() != 1) throw new EMSServerException("Not exactly one server found");
              MBeanServer server = (MBeanServer) servers.get(0);
              String[] params = { "MyDomain" };
              String[] signature = { "java.lang.String" };
              try
              {
              ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
              server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
              System.out.println("After flushAuthenticationCache invoked, domain is" + params[0] );

              }
              catch (Exception e)
              {
              e.printStackTrace();
              throw new EJBException(e);
              }

              }


              Thanks!

              • 4. Re: How do I flush the Jaas auth cache?
                zhan Newbie

                Problem solved!
                It looks like this flush function has to be invoked at the last step of bean operation, if I invoke during the middle of the operation, it has some weird behavior.

                • 5. Re: How do I flush the Jaas auth cache?
                  Sundaram Ramasamy Newbie

                  hi,

                  I tried this, its flushing currently logged-in users roles also.


                  Any other way to flush the cache?

                  -SR

                  • 6. Re: How do I flush the Jaas auth cache?
                    AJ Aw Newbie

                    Try this.. this should only flush the user myName

                    Object[] params = {domain, new org.jboss.security.SimplePrincipal(myName)};
                    String[] signature = {"java.lang.String","java.security.Principal"};

                    Thanks,
                    -AJ

                    • 7. Re: How do I flush the Jaas auth cache?
                      James Kuhn Newbie

                      I'm running JBoss 3.2.1, and I can't get this code to compile. I must be missing
                      a jar file or something.

                      Can somebody tell me where to import the follow classes?:

                      EMSServerException
                      MBeanServer
                      MBeanServerFactory
                      ObjectName

                      I am unable to find javax.management.* in any of my jar files.

                      • 9. Re: How do I flush the Jaas auth cache?
                        Juha Lindfors Master

                        Uhm, jmxri.jar is Sun's Reference Implementation.

                        • 10. Re: How do I flush the Jaas auth cache?
                          James Kuhn Newbie

                          ok.

                          Well... it contained the classes I was looking for, and it allowed me to compile.

                          Anyway, I abandoned that method of clearing the cache.

                          The problem at hand was that when one person logged in, he got the privs
                          of the first person that logged in. I discovered that the reason for this was
                          because the principals of the subject were not being cleared upon logout.
                          So I'm just making a new loginContext every time I log in, and that gives me
                          a null subject... problem solved.

                          Thanks anyway.










                          • 11. Re: How do I flush the Jaas auth cache?
                            Allen Hsu Newbie

                            I also tried flushAuthenticationCache() in JaasSecurityManagerService but it's not the cache I want to flush.
                            After tracing the code a little bit further, I found out the the cache I really needs to flush is inside org.jboss.security.plugins.JaasSecurityManager.

                            Does this mean I have to customize it so I cound flush the right cache or I missed something important here?

                            Allen

                            • 12. Re: How do I flush the Jaas auth cache?
                              Scott Stark Master

                              The JaasSecurityManagerService.flushAuthenticationCache operation flushes the underlying JaasSecurityManager associated with the security domain argument, so it is what you want to use.

                              • 13. Re: How do I flush the Jaas auth cache?
                                Allen Hsu Newbie

                                I tried to inject some addtional codes into JaasSecurityManager to trace the cache status. What I expected is after calling JaasSecurityManagerService.flushAuthenticationCache(String securityDomain, Principal user), the cache shouldn't contain the specified usr. But the result shows another story.

                                1. The flush method is called in vas.fresh.struts.ChangePasswordAction.
                                2. After that the JaasSecurityManager is called again to to see if it still has the user and it does.

                                2004-02-12 11:45:19,043 DEBUG [vas.fresh.struts.ChangePasswordAction] flushed: allen
                                2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] principal: allen, allowRefresh: true
                                2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] items: [allen]
                                2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] validateCache, info=Subject
                                Principal: allen
                                Principal: Roles(members:FreshAdmin)
                                ,1076557512257
                                2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] principal: allen, allowRefresh: false
                                2004-02-12 11:45:26,193 TRACE [vas.common.login.JaasSecurityManager.fresh] items: [allen]

                                What I can do now is to redue "DefaultCacheTimeout" and "DefaultCacheResolution", so the cache will expire very soon.
                                But if it can be flushed right away, that will be superb.

                                Allen

                                • 14. Re: How do I flush the Jaas auth cache?
                                  Jesse Wilson Newbie

                                  Note that this approach does not work in JBoss 3.2.7 (and perhaps earlier versions such as 3.2.5).

                                  See http://www.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials for the latest sample code.