2 Replies Latest reply on May 14, 2004 9:49 AM by Scott Stark

    Flushing authentication cache doesn't work for roles

    Gerd Streubel Newbie

      As suggested many times in this forum I am using JMX to flush the authentication cache. This works fine if the password is changed. But when changing the role any role information is lost in the security context.

      if ( context.isCallerInRole( "supplier")) logger.debug("supplier");// true
      if ( context.isCallerInRole( "customer")) logger.debug("customer");// false

      flushAuthCache( SECURITY_DOMAIN, context.getCallerPrincipal());

      if ( context.isCallerInRole( "supplier")) logger.debug("supplier");//false
      if ( context.isCallerInRole( "customer")) logger.debug("customer");//false

      After a relogin the role information is available again.
      When changing the password the security context is updated correctly because the Web-Container brings up the loginpage immediately (I am using form-based authentication).

      It seems that some security information are handled differently by the security manager.

      I was wondering if anyone could offer some help or point me towards some good resources.

        • 1. Re: Flushing authentication cache doesn't work for roles
          Gerd Streubel Newbie

          To investigate the functioning of the authentication cache I traced the networktraffic of the database port. The result is:

          When calling flushAuthCache() there is no access to the database. Instead, the assigned authentication role is destroyed. Even the call isCallerInRole() is not a reason to re-read the security information stored in the database.
          The securtiy information only is read, i. e. running the SQL-statement stored in login-config.xml against the database, when the browser requests a resource by the next time.

          It seems that flushing the authentication cache only sets a flag signaling to re-read authentication information by the next time. Which call does really trigger the database access?

          • 2. Re: Flushing authentication cache doesn't work for roles
            Scott Stark Master

            The security cache is loaded only during authentication. You cannot change roles and have them reloaded without reauthenticating. With basic auth this would be transparent to the user, while form based auth would require logging in.

            You can write your own org.jboss.util.CachePolicy implementation to all the roles associated with the authenticated subject to be refreshed as you wish.