Menu
▾
▴
Re: [JBoss-user] security question: removing an individual user from authent cache
|
From: jfc <jf...@bt...> - 2003-06-01 16:51:36
|
jfc wrote: > Scott M Stark wrote: > >> From the 3.0.7 release notes: >> comments: >> Add a flushAuthenticationCache(String securityDomain, Principal user) >> operation to allow a single user to be flushed from the >> authentication cache.xxxxxxxxxxxxxxxxxxxxxxxx >> Scott Stark >> Chief Technology Officer >> JBoss Group, LLC >> xxxxxxxxxxxxxxxxxxxxxxxx >> >> ----- Original Message ----- From: "jfc" <jf...@bt...> >> To: "jboss-user" <jbo...@li...> >> Sent: Wednesday, May 28, 2003 3:04 AM >> Subject: [JBoss-user] security question: removing an individual user >> from authent cache >> >> >> >> >>> Hi, >>> >>> I would like to know whether or not I need to upgrade my current >>> version of JBoss (308RC1 bundled with tomcat 4.1.24 LE1.4) in order >>> to aquire functionality/support for removing an individual user from >>> the authentication cache when he logs out of the web application. >>> >>> If this is possible to do without upgrading, I would like to know >>> how to do it as I have had problems upgrading to 3.2.1 and I'm not >>> sure when I will be able to resolve the problem. >>> >>> thanks for any help >>> jfc >>> >>> >>> >>> ------------------------------------------------------- >>> This SF.net email is sponsored by: ObjectStore. >>> If flattening out C++ or Java code to make your application fit in a >>> relational database is painful, don't do it! Check out ObjectStore. >>> Now part of Progress Software. http://www.objectstore.net/sourceforge >>> _______________________________________________ >>> JBoss-user mailing list >>> JBo...@li... >>> https://lists.sourceforge.net/lists/listinfo/jboss-user >>> >>> >> >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: ObjectStore. >> If flattening out C++ or Java code to make your application fit in a >> relational database is painful, don't do it! Check out ObjectStore. >> Now part of Progress Software. http://www.objectstore.net/sourceforge >> _______________________________________________ >> JBoss-user mailing list >> JBo...@li... >> https://lists.sourceforge.net/lists/listinfo/jboss-user >> >> >> > sorry, should have thought to look there. (thanks) > > Right, so I have a running instance of jboss 308RC1 and tomcat4124 > LE14. I am experiencing problems - it breaks down like this: > > 1. admin user logs in to web app successfully (configured via > jboss-web.xml and web.xml to use my jboss security domain aka > login-config.xml); > 2. Same user submits a request which gets routed to search ejb which > queries the user's role to find out whether the user is in a > particular role (say 'admin'). > The result of the query is yes, caller is in role 'admin' and so > additional criteria are applied to the search. This works well; > 3. user logs out of the web application (httpSession.invalidate() and > response.redirect("myIndex.jsp")); > 4. I invoke flushAuthenticationCache() with the my-sec-dom security > domain parameter as per above(via jmx-console); > 5. I start up a konqueror instance and navigate to the site submitting > a nobody search which is seen as such by the ejb; > 6. I then return to the mozilla window and again submit a search request. > The ejb sees the the old user still as being logged in because it > returns true to isCallerInRole("admin"); > 7. When I submit again from Konqueror, it still thinks I am in admin. > > What am I doing wrong/missing? Could it be because I am not flushing > the cache from within the same web-tier thread? > > Any help is appreciated. > jfc > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: eBay > Get office equipment for less on eBay! > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 > _______________________________________________ > JBoss-user mailing list > JBo...@li... > https://lists.sourceforge.net/lists/listinfo/jboss-user > I tried flushing the cache from within the logout servlet and I am still getting 'logged-in' results from requests which should be seen as new and unauthenticated. any further help is appreciated. jfc |