3 Replies Latest reply on Jan 27, 2005 4:02 AM by Scott Stark

    JaasSecurityManager ? DefaultCacheTimeout property question

    Alexander Newbie

      I have some doubts in proper interpretation of the DefaultCacheTimeout property of the JaasSecurityManager. At first I thought that this value means the time in the seconds during which the caller's credentials after successful logon are being kept in the security cache and treated as valid. In addition, this counter begins from zero any time the caller makes the successful call to the resource in the security domain (so, this mechanism works as ?desktop screensaver? - you don't know about it until you don't touch the keyboard or mouse for the predefined time period). But after some experiments I found that the last is not true (JBoss 3.2.6). The ?DefaultCacheTimeout? timeout means the duration of life of caller's credentials in the security cache beginning from the successful logon, without any updates. The ?stack? of the call can be described in the following way:
      JaasSecurityManager.java file, lines 236 ? 241

       public synchronized boolean isValid(Principal principal, Object credential,
       Subject activeSubject)
       // Check the cache first
       DomainInfo cacheInfo = getCacheInfo(principal, true);

      this method is called any time the business call is being passed through the security interceptor (and if the JaasSecurityManager is used). The ?true? value in the getCacheInfo method means that the correspondent entity should be flushed if it is expired.

      But what about update? Or refresh the time marking?

      The implementation of this method is below - JaasSecurityManager, lines 556 ? 571 (the domainCache is an instance of the TimedCachePolicy class, and the DomainInfo implements TimedCachePolicy.TimedEntry interface):
       private DomainInfo getCacheInfo(Principal principal, boolean allowRefresh)
       if( domainCache == null )
       return null;
       DomainInfo cacheInfo = null;
       synchronized( domainCache )
       if( allowRefresh == true )
       cacheInfo = (DomainInfo) domainCache.get(principal);
       cacheInfo = (DomainInfo) domainCache.peek(principal);
       return cacheInfo;

      domainCache.get is implemented in the TimedCachePolicy class, lines 156 ? 174:
       public Object get(Object key)
       TimedEntry entry = (TimedEntry) entryMap.get(key);
       if( entry == null )
       return null;
       if( entry.isCurrent(now) == false )
       { // Try to refresh the entry
       if( entry.refresh() == false )
       { // Failed, remove the entry and return null
       return null;
       Object value = entry.getValue();
       return value;

      and entry.refresh() in this case is implemented in DomainInfo class (JaasSecurityManager.java file, lines 75 ? 79:
       public boolean refresh()
       return false;

      so ? no any update.
      May be the lifetime should be kept in the cache entry too, and the expiration time should be increased in refresh method?

      Best regards,