3 Replies Latest reply on Feb 27, 2008 5:30 PM by Benoit Xhenseval

    Flushing the credential cache ==> InstanceNotFoundException

    Benoit Xhenseval Newbie

      Hi

      We're using the DatabaseServerLoginModule but for all intent, when my user decides to change its password, I would like to flush the cache.

      We're using JBoss-4.0.5-GA

      I'm trying to follow the code on: http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

      Unfortunately, I know very little about MBeans and I seem to get an InstanceNotFoundException everytime on this call:

      MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);


      Why? The full code is as follows:

       private void flushCache(String loginId) {
       String domain = "jmx-console";
       Principal user = new SimplePrincipal(loginId);
       ObjectName jaasMgr;
       try {
       jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
       Object[] params = { domain, user };
       String[] signature = { "java.lang.String", Principal.class.getName() };
       MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
       server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
       } catch (MalformedObjectNameException e) {
       log.error("Cannot flush", e);
       } catch (NullPointerException e) {
       log.error("Cannot flush", e);
       } catch (InstanceNotFoundException e) {
       log.error("Cannot flush", e);
       } catch (MBeanException e) {
       log.error("Cannot flush", e);
       } catch (ReflectionException e) {
       log.error("Cannot flush", e);
       }
       }
      


      My login-config.xml is
      <application-policy name="atrium-security">
      <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">misterx</module-option>
       <module-option name="dsJndiName">java:/AtriumDS</module-option>
       <module-option name="principalsQuery">
       select PASSWORDMD5 from safemarginuser where LOGINID=? and STATE='ACT' and FAILEDLOGIN < 10
       </module-option>
       <module-option name="rolesQuery">
       select ROLE, 'Roles' from loginrole A, safemarginuser B where B.ID=A.USER_ID and A.CLIENT_ID=B.CLIENT_ID and B.LOGINID=?
       </module-option>
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">base64</module-option>
       </login-module>
      </authentication>
      </application-policy>
      


      My jboss-service.xml (in server/default/conf) is, as far as I can tell, the original one:

       <!-- JAAS security manager and realm mapping -->
       <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
       name="jboss.security:service=JaasSecurityManager">
       <!-- A flag which indicates whether the SecurityAssociation server mode
       is set on service creation. This is true by default since the
       SecurityAssociation should be thread local for multi-threaded server
       operation.
       -->
       <attribute name="ServerMode">true</attribute>
       <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
       <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
       <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
       in seconds.
       If you want to disable caching of security credentials, set this to 0 to
       force authentication to occur every time. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       -->
       <attribute name="DefaultCacheTimeout">1800</attribute>
       <!-- DefaultCacheResolution: Specifies the default timed cache policy
       resolution in seconds. This controls the interval at which the cache
       current timestamp is updated and should be less than the DefaultCacheTimeout
       in order for the timeout to be meaningful. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       -->
       <attribute name="DefaultCacheResolution">60</attribute>
       </mbean>
      


      The caller of flushCache is a POJO but running from a Stateless Session Bean. Is there a classloader issue?

      I am obviously doing something wrong, any pointer/solution/suggestion would be very welcomed!

      Thanks!

      Benoit

        • 1. Re: Flushing the credential cache ==> InstanceNotFoundExcept
          Benoit Xhenseval Newbie

          Any suggestion?

          I am able to call the flushAuthenticationCache from the jmx-console web interface but the code fails every time on

          server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
          in the example on the Wiki page...

          http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

          What am I doing wrong... even if it is trivial, I'd like to know...

          15:05:38,015 ERROR [UserPasswordSaver][RMI TCP Connection(125)-10.17.35.10] Cannot flush
          javax.management.InstanceNotFoundException: jboss.security:service=JaasSecurityManager
           at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(DefaultMBeanServerInterceptor.java:1010)
           at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:804)
           at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
           at net.XXXXXXX.savers.UserPasswordSaver.flushCache(UserPasswordSaver.java:144)


          Thanks in advance

          Benoit

          • 2. Re: Flushing the credential cache ==> InstanceNotFoundExcept
            Anil Saldanha Master

            1) Try to invalidate the session when the user changes the password. (Why does it matter that the cache is still with the old password? The new password will anyway kick in on next login).

            or

            2) Get MBeanServerConnection as:

            MBeanServerConnection server= (MBeanServerConnection)new InitialContext().lookup("jmx/rmi/RMIAdaptor");
            


            • 3. Re: Flushing the credential cache ==> InstanceNotFoundExcept
              Benoit Xhenseval Newbie

              HI Anil

              Thanks for your reply and sorry for the delay (I did not get the email it is supposed to send, may be caught in my anti-spam...)

              If an "admin" changes somebody password (say because they do not remember it), the cache must be flushed for the new password to be effective immediately.

              I see your suggestion but what do I do with an MBeanServerConnection ? Is there a different approach from the Wiki page?

              Thanks a lot

              Benoit