[jboss-user] [Security & JAAS/JBoss] - Re: JAAS login/logout behaviour

abille do-not-reply at jboss.com
Mon Mar 9 06:04:03 EDT 2009


Hello Anil,

well, I introduced a server side method adminService.logout() doing the following operations:

public void logout() throws MalformedObjectNameException, NullPointerException, InstanceNotFoundException, MBeanException, ReflectionException {
        final MBeanServer server = org.jboss.mx.util.MBeanServerLocator.locateJBoss();

        final String jaasMgrName = "jboss.security:service=JaasSecurityManager";

        final ObjectName jaasMgr = new ObjectName(jaasMgrName);

        final Object[] params = { "myDomain" };

        final String[] signature = { "java.lang.String" };

        @SuppressWarnings("unused")
        List users = (List) server.invoke(jaasMgr, "getAuthenticationCachePrincipals", params, signature);

        server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

        users = (List) server.invoke(jaasMgr, "getAuthenticationCachePrincipals", params, signature);

    }

We called this method before the second login in the previous code. After a second test run with a not restarted server, we get the completly odd behaviour, that the first call in the adminService.logout() method to "getAuthenticationCachePrincipals" returns a list of 
both "ln=admin,oce=org_A" and "ln=admin,oce=org_B".

After calling "flushAuthenticationCache" the second call to "getAuthenticationCachePrincipals" returns in fact a zero list.

But oddly this has no effect on the output on clientside ... it still returns wrongly two times the same principal name.

That is, whatever cache the "flushAuthenticationCache" flushes, it does not seem to be the cache where JBoss caches it's principals.

Also, a colleague of mine has remarked, that we can get a "SecurityAssociation", and the method SecurityAssociation.getPrincipal always returns the correct user, without any need to flush any cache.
However, if the sessionContext.getCallerPrincipal is wrong, are the roles correct?

Secondly, we do think that the client side code should not be aware of any need to call additional mehtods simply to flush a cache, which is an implementation detail on server side ...

Should we file a bug?

Regards,
abille


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4216129#4216129

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4216129



More information about the jboss-user mailing list