[JBoss JIRA] (WFLY-3221) flushOnSessionInvalidation attribute in jboss-web.xml does not flush user credentials

Friday, 30 May 2014

    [
https://issues.jboss.org/browse/WFLY-3221?page=com.atlassian.jira.plugin....
] 

Pavel Kovalenko commented on WFLY-3221:
---------------------------------------

Hi guys.

I think it's very critical bug and must be resolved as fast as possible.
E.g. in my application I use LDAP and roles changes very often, so I can't reboot
server after every change.
I was hoping that it will fix in 8.1.0.Final and after I noticed that fix version was
changed to 9.0.0.Aplha I was frustrated.

I realized that I could not wait any longer and after exploring Wildfly source code I
found solution for this problem. Next 2 classes flushes credentials after session
destroying.

{code:title=CredentialsCatchFilter.java|borderStyle=solid}
@WebFilter(urlPatterns = "*")
public class CredentialsCatchFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain
next)
            throws IOException, ServletException
    {
        if (request instanceof HttpServletRequest) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            if (httpServletRequest.getSession().getAttribute("principal") ==
null
                 && httpServletRequest.getUserPrincipal() != null) {
                httpServletRequest.getSession().setAttribute("principal",
httpServletRequest.getUserPrincipal());
            }
        }
        next.doFilter(request, response);
    }

    @Override
    public void destroy() {

    }

}
{code}

{code:title=FlushCredentialsListener.java|borderStyle=solid}
@WebListener
public class FlushCredentialsListener implements HttpSessionListener {

    @Resource(name = "java:jboss/jaas/ldap/authenticationMgr")
    private CacheableManager<?, Principal> authenticationManager;

    @Override
    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
        Principal principal = (Principal)
httpSessionEvent.getSession().getAttribute("principal");
        if (principal != null)
            authenticationManager.flushCache(principal);
    }

}
{code}

*Note:* In Resource annotation use your security domain name instead of "ldap".

Hope, it will help developers to temporarily resolve this problem before official fix. 

...
 flushOnSessionInvalidation attribute in jboss-web.xml does not flush
user credentials
 -------------------------------------------------------------------------------------

                 Key: WFLY-3221
                 URL: https://issues.jboss.org/browse/WFLY-3221
             Project: WildFly
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: Security
    Affects Versions: 8.0.0.Final
            Reporter: Jorge Marmolejo
            Assignee: Darran Lofthouse
            Priority: Critical
             Fix For: 9.0.0.Alpha1

 The attribute flushOnSessionInvalidation  does not flush the user credentials when the
session is invalidated or when it times out. If the password or roles change for the user,
the only way to get the new changes is by restarting the server.
 I tried removing "cache-type=default" from the standalone-full.xml and it
works, but for every action made on the site, the login method in the authentication
module is called. 

--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006