[jboss-user] [Security & JAAS/JBoss] - Re: JAAS login/logout behaviour

Mon, 09 Mar 2009 03:05:42 -0700 

Hello Anil,

well, I introduced a server side method adminService.logout() doing the 
following operations:

public void logout() throws MalformedObjectNameException, NullPointerException, 
InstanceNotFoundException, MBeanException, ReflectionException {
        final MBeanServer server = 
org.jboss.mx.util.MBeanServerLocator.locateJBoss();

        final String jaasMgrName = "jboss.security:service=JaasSecurityManager";

        final ObjectName jaasMgr = new ObjectName(jaasMgrName);

        final Object[] params = { "myDomain" };

        final String[] signature = { "java.lang.String" };

        @SuppressWarnings("unused")
        List users = (List) server.invoke(jaasMgr, 
"getAuthenticationCachePrincipals", params, signature);

        server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

        users = (List) server.invoke(jaasMgr, 
"getAuthenticationCachePrincipals", params, signature);

    }

We called this method before the second login in the previous code. After a 
second test run with a not restarted server, we get the completly odd 
behaviour, that the first call in the adminService.logout() method to 
"getAuthenticationCachePrincipals" returns a list of 
both "ln=admin,oce=org_A" and "ln=admin,oce=org_B".

After calling "flushAuthenticationCache" the second call to 
"getAuthenticationCachePrincipals" returns in fact a zero list.

But oddly this has no effect on the output on clientside ... it still returns 
wrongly two times the same principal name.

That is, whatever cache the "flushAuthenticationCache" flushes, it does not 
seem to be the cache where JBoss caches it's principals.

Also, a colleague of mine has remarked, that we can get a 
"SecurityAssociation", and the method SecurityAssociation.getPrincipal always 
returns the correct user, without any need to flush any cache.
However, if the sessionContext.getCallerPrincipal is wrong, are the roles 
correct?

Secondly, we do think that the client side code should not be aware of any need 
to call additional mehtods simply to flush a cache, which is an implementation 
detail on server side ...

Should we file a bug?

Regards,
abille


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4216129#4216129

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4216129
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to