Menu
▾
▴
Re: [JBoss-user] security question: flushed authentication cache re-appearing
|
From: jfc <jf...@bt...> - 2003-06-01 20:05:50
|
jfc wrote: > jfc wrote: > >> Scott M Stark wrote: >> >>> From the 3.0.7 release notes: >>> comments: >>> Add a flushAuthenticationCache(String securityDomain, Principal user) >>> operation to allow a single user to be flushed from the >>> authentication cache.xxxxxxxxxxxxxxxxxxxxxxxx >>> Scott Stark >>> Chief Technology Officer >>> JBoss Group, LLC >>> xxxxxxxxxxxxxxxxxxxxxxxx >>> >>> ----- Original Message ----- From: "jfc" <jf...@bt...> >>> To: "jboss-user" <jbo...@li...> >>> Sent: Wednesday, May 28, 2003 3:04 AM >>> Subject: [JBoss-user] security question: removing an individual user >>> from authent cache >>> >>> >>> >>> >>>> Hi, >>>> >>>> I would like to know whether or not I need to upgrade my current >>>> version of JBoss (308RC1 bundled with tomcat 4.1.24 LE1.4) in order >>>> to aquire functionality/support for removing an individual user >>>> from the authentication cache when he logs out of the web application. >>>> >>>> If this is possible to do without upgrading, I would like to know >>>> how to do it as I have had problems upgrading to 3.2.1 and I'm not >>>> sure when I will be able to resolve the problem. >>>> >>>> thanks for any help >>>> jfc >>>> >>>> >>>> >>>> ------------------------------------------------------- >>>> This SF.net email is sponsored by: ObjectStore. >>>> If flattening out C++ or Java code to make your application fit in a >>>> relational database is painful, don't do it! Check out ObjectStore. >>>> Now part of Progress Software. http://www.objectstore.net/sourceforge >>>> _______________________________________________ >>>> JBoss-user mailing list >>>> JBo...@li... >>>> https://lists.sourceforge.net/lists/listinfo/jboss-user >>>> >>>> >>> >>> >>> >>> >>> ------------------------------------------------------- >>> This SF.net email is sponsored by: ObjectStore. >>> If flattening out C++ or Java code to make your application fit in a >>> relational database is painful, don't do it! Check out ObjectStore. >>> Now part of Progress Software. http://www.objectstore.net/sourceforge >>> _______________________________________________ >>> JBoss-user mailing list >>> JBo...@li... >>> https://lists.sourceforge.net/lists/listinfo/jboss-user >>> >>> >>> >> sorry, should have thought to look there. (thanks) >> >> Right, so I have a running instance of jboss 308RC1 and tomcat4124 >> LE14. I am experiencing problems - it breaks down like this: >> >> 1. admin user logs in to web app successfully (configured via >> jboss-web.xml and web.xml to use my jboss security domain aka >> login-config.xml); >> 2. Same user submits a request which gets routed to search ejb which >> queries the user's role to find out whether the user is in a >> particular role (say 'admin'). >> The result of the query is yes, caller is in role 'admin' and so >> additional criteria are applied to the search. This works well; >> 3. user logs out of the web application (httpSession.invalidate() and >> response.redirect("myIndex.jsp")); >> 4. I invoke flushAuthenticationCache() with the my-sec-dom security >> domain parameter as per above(via jmx-console); >> 5. I start up a konqueror instance and navigate to the site >> submitting a nobody search which is seen as such by the ejb; >> 6. I then return to the mozilla window and again submit a search >> request. >> The ejb sees the the old user still as being logged in because it >> returns true to isCallerInRole("admin"); >> 7. When I submit again from Konqueror, it still thinks I am in admin. >> >> What am I doing wrong/missing? Could it be because I am not flushing >> the cache from within the same web-tier thread? >> >> Any help is appreciated. >> jfc >> >> >> >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: eBay >> Get office equipment for less on eBay! >> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 >> _______________________________________________ >> JBoss-user mailing list >> JBo...@li... >> https://lists.sourceforge.net/lists/listinfo/jboss-user >> > I tried flushing the cache from within the logout servlet and I am > still getting 'logged-in' results from requests which should be seen > as new and unauthenticated. > > any further help is appreciated. > > jfc > > > > ------------------------------------------------------- > This SF.net email is sponsored by: eBay > Get office equipment for less on eBay! > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 > _______________________________________________ > JBoss-user mailing list > JBo...@li... > https://lists.sourceforge.net/lists/listinfo/jboss-user > just thought I'd change the message subject to be more relevent as I'm still stuck on this. jfc |