8 Replies Latest reply on Feb 24, 2004 8:02 PM by Rick Hightower

    JBoss SX seems to cache user/roles

    Rick Hightower Newbie

      Is there anyway to tell JBoss SX not to cache user/roles data?

      I am using DatabaseServerLoginModule as follows:

       <application-policy name="expressDomain">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag="required" >
       <module-option name="dsJndiName">java:/jdbc/mysql</module-option>
       <module-option name="principalsQuery">
       select passwrd from app_user where username=?
       </module-option>
       <module-option name = "rolesQuery">
       select role_name, 'Roles' from user_role where username=?
       </module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      In this application an admin can come along and edit another users roles, but this does not seem to get reflected. It seems like JBoss SX caches the roles/user mappings. Is there anyone to turn this caching off?

      I downloaded the JBoss SX source from SF and walked the tree from DatabaseServerLoginModule to AbstractServerLoginModule and it does not seem like they are caching the results. I am guessing it is another class that uses DatabaseServerLoginModule that caches the roles/users.



        • 1. Re: axis version in upcoming 3.0.1
          Rick Hightower Newbie

          Hey - NO problem. I am always very grateful of your hard work on this. I'll be patient.

          • 2. Re: JBoss SX seems to cache user/roles
            Rick Hightower Newbie

            I saw this

            http://jboss.sourceforge.net/doc-24/ch07s09.html


            The example they give seems to set the cache policy.

            <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="Security:name=JaasSecurityManager">
             <attribute name="SecurityManagerClassName">
             org.jboss.security.plugins.JaasSecurityManager
             </attribute>
             <attribute name="SecurityProxyFactoryClassName">
             org.jboss.security.SubjectSecurityProxyFactory
             </attribute>
             <attribute name="AuthenticationCacheJndiName">
             srp/SRPAuthenticationCache
             </attribute>
            </mbean>
            


            Mine does set a cache policy. Here is my version of the above
            from jboss-service.xml
             <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
             name="jboss.security:service=JaasSecurityManager">
             <attribute name="SecurityManagerClassName">
             org.jboss.security.plugins.JaasSecurityManager
             </attribute>
             </mbean>
            


            After looking at the code for org.jboss.security.plugins.JaasSecurityManagerService, it seems to default to a timed cache.

            public class JaasSecurityManagerService
             extends ServiceMBeanSupport
             implements JaasSecurityManagerServiceMBean
            {
             ...
             private static final String DEFAULT_CACHE_POLICY_PATH = "java:/timedCacheFactory";
            ...
            


            How do I setup the timed cache? Can I just set this parameter to nothing? Will that override the timed cache?

            I'll try.

            • 3. Re: JBoss SX seems to cache user/roles
              Rick Hightower Newbie

               

               private static CachePolicy lookupCachePolicy(String securityDomain)
               {
               CachePolicy authCache = null;
               String domainCachePath = cacheJndiName + '/' + securityDomain;
               try
               {
               InitialContext iniCtx = new InitialContext();
               authCache = (CachePolicy) iniCtx.lookup(domainCachePath);
               }
               catch(Exception e)
               {
               // Failed, treat the cacheJndiName name as a global CachePolicy binding
               try
               {
               InitialContext iniCtx = new InitialContext();
               authCache = (CachePolicy) iniCtx.lookup(cacheJndiName);
               }
               catch(Exception e2)
               {
               log.warn("Failed to locate auth CachePolicy at: "+cacheJndiName
               + " for securityDomain="+securityDomain);
               }
               }
               return authCache;
               }
              
              


              It looks like the lookup just returns a null if it cannot find a cache... Worth a shot
              Setting cache policy blank
              <attribute name="AuthenticationCacheJndiName">
               </attribute>
              
              


              • 4. Re: JBoss SX seems to cache user/roles
                Rick Hightower Newbie

                Setting the cache policy to nothing did not work! :(

                Oh well

                19:29:20,296 ERROR [Engine] CoyoteAdapter An exception or error occurred in the container during the request processing
                java.lang.NullPointerException
                 at org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole(JaasSecurityManager.java:318)
                 at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.hasRole(JBossSecurityMgrRealm.java:339)
                 at org.apache.catalina.authenticator.AuthenticatorBase.accessControl(AuthenticatorBase.java:632)
                 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
                 at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
                 at org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
                 at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
                 at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
                 at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
                 at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
                 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
                 at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
                 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)
                


                Help! ;)

                • 5. Re: JBoss SX seems to cache user/roles
                  DRAI William Newbie

                  You should keep the caching on. If you don't, the LoginModule will be called on every request (and it seems that the JaasSecurityManager won't work without cache).
                  If you want to update the password/roles of users, you have to flush the cache through JMX by calling "jboss.security:service=JaasSecurityManager".flushAuthenticationCache(securityDomain, principal). There are lots of posts in the forums explaining how to do that.

                  • 7. Re: JBoss SX seems to cache user/roles
                    Rick Hightower Newbie

                    I did some serching around....

                    I came up with a code snippet

                    Object[] params = new Object[]{jaasDomainName, simplePrincipal};
                    String[] signature = new String[]{ "java.lang.String ",
                    "java.security.Principal "};
                    mbeanServer.invoke(jaasObjectName, "flushAuthenticationCache ", params,
                    signature);
                    


                    Code from http://www.junlu.com/msg/36344.html

                    I'll need to do some more research. I have not worked with JMX much. But thanks for the trail.

                    I also found this: (JBossTestServices)
                     /** Flush all authentication credentials for the java:/jaas/other security
                    
                     295 domain
                    
                     296 */
                    
                     297 3 void flushAuthCache() throws Exception
                    
                     298 {
                    
                     299 3 ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
                    
                     300 3 Object[] params = {"other"};
                    
                     301 3 String[] signature = {"java.lang.String"};
                    
                     302 3 invoke(jaasMgr, "flushAuthenticationCache", params, signature);
                    
                     303 }
                    
                    
                    


                    The above can be found at:
                    http://www.thecortex.net/clover/eg/jboss/report/org/jboss/test/JBossTestServices.html


                    It is sure nice having the entire code base online so it can be googled!



                    • 8. Re: JBoss SX seems to cache user/roles
                      Rick Hightower Newbie

                      Well I tried...

                      I can't seem to init the server....

                       protected void init() throws Exception {
                      
                       if (initialContext == null) {
                      
                       initialContext = new InitialContext();
                      
                       }
                      
                       if (server == null) {
                      
                       String serverName = System.getProperty("testAdvantage.jboss.server.name"); //not set, this prop is null
                      
                       if (serverName == null) {
                      
                       serverName = InetAddress.getLocalHost().getHostName(); //the host name is RicksMachine
                      
                       }
                      
                       server =
                       (Remote) initialContext.lookup("jmx:" + serverName + ":rmi");
                      
                       }
                      
                       }
                      
                      


                      Here is the exception I get.....

                      10:07:15,312 ERROR [STDERR] javax.naming.NameNotFoundException: jmx:RicksMachine:rmi not bound
                      10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getBinding(NamingServer.java:495)
                      10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getBinding(NamingServer.java:503)
                      10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.getObject(NamingServer.java:509)
                      10:07:15,312 ERROR [STDERR] at org.jnp.server.NamingServer.lookup(NamingServer.java:282)
                      10:07:15,312 ERROR [STDERR] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:528)
                      10:07:15,312 ERROR [STDERR] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:507)
                      10:07:15,312 ERROR [STDERR] at javax.naming.InitialContext.lookup(InitialContext.java:347)
                      10:07:15,312 ERROR [STDERR] at org.appfuse.webapp.service.UserManagerJBossSpecific.init(UserManagerJBossSpecific.java:102)