-
1. Re: Wildfly security domain doesn't flush roles after logout in a web application
ctomc Mar 20, 2014 6:29 PM (in response to rafael.silvestri)<valve>
<class-name>utils.MyAuthenticator</class-name>
</valve>in jboss-web.xml does noting and is ignored in WildFly, you can remove it.
Are you sure session was properly invalidated?
To monitor that, you can add SessionListener in which you will get event on session create/destroy.
-
2. Re: Wildfly security domain doesn't flush roles after logout in a web application
rafael.silvestri Mar 21, 2014 9:02 AM (in response to ctomc)Actually, i have a default "Database" login module and i don't have any valve in jboss-web.xml.
I'm sure that my session is really invalidated. It's work fine in jboss-as-7.0.1
Below i show my configuration.
<security-domain name="DominioImovelRealm" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/jdbc/MyDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM DBA.USERS WHERE USERNAME=?"/>
<module-option name="rolesQuery" value="SELECT ROLE, 'Roles' FROM DBA.ROLES WHERE USERNAME=?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="HEX"/>
</login-module>
</authentication>
</security-domain>
Any idea?
Thanks for your help.
-
3. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
lc1207h Apr 7, 2014 9:40 PM (in response to rafael.silvestri)I am in the same boat here. I have set up a custom database login module and that works, but the logout functionality does not. I have pasted the relevant standalone.xml, jboss-web.xml and my servlet logout code. The issue is that the session does not get invalidated after logout. Using the same JSESSIONIDSSO cookie, the user can still access pages that require roles even after logging out.
standalone.xml
<security-domain name="myname-form" cache-type="default"> <authentication> <login-module code="com.myname.DatabaseModLoginModule" flag="sufficient"> <module-option name="securityDomain" value="jsse-myname"/> <module-option name="verifier" value="com.myname.MyVerifier"/> <module-option name="dsJndiName" value="java:/jdbc/myds"/> <module-option name="rolesQuery" value="exec h_Get_Roles ?"/> </login-module> </authentication> </security-domain>
jboss-web.xml
<jboss-web> <security-domain flushOnSessionInvalidation="true">myname-form</security-domain> <valve> <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name> </valve> <context-root>/myname-form</context-root> </jboss-web>
LogoutServlet.java
public class LogoutServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setHeader("Cache-Control", "no-cache, no-store"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", new java.util.Date().toString()); if (request.getSession(false) != null) { request.getSession(false).invalidate(); } if (request.getSession() != null) { request.getSession().invalidate(); } request.logout(); response.sendRedirect(request.getScheme()+"://"+request.getServerName()); } }
Is this something that is an issue with Wildfly or is something misconfigured here?
-
4. Re: Wildfly security domain doesn't flush roles after logout in a web application
jimarmol Apr 4, 2014 5:31 PM (in response to lc1207h)Any luck guys???. I am having the same problem. The credentials are only flushed when the server is restarted.
-
5. Re: Re: Wildfly security domain doesn't flush roles after logout in a web application
ctomc Apr 4, 2014 8:02 PM (in response to lc1207h)Can you try with wildfly nightly builds?
We fixed lots of SSO related bugs for 8.0.1 which we plan to release in few days.
You can grab nightly here https://community.jboss.org/thread/224262
and please let us know if you are still seeing problems, so we might still have time to fix it for 8.0.1
-
6. Re: Wildfly security domain doesn't flush roles after logout in a web application
jimarmol Apr 7, 2014 10:32 AM (in response to ctomc)Hi Tomaz
I downloaded the nightly build as you suggested, but still I am having the same issue. It looks like it has not been fixed yet.
-
7. Re: Wildfly security domain doesn't flush roles after logout in a web application
renannp Apr 8, 2014 10:00 AM (in response to rafael.silvestri)I'm facing the same issue with Wildfly 8.0.0.Final.
I also face an issue with j_security_check where sometimes it says that POST is not supported by j_security_check.
Maybe a bug should be open to track this issue, I think it is very critical feature that should be in 8.0.1.
Meanwhile I'll move to JBoss AS again...
Thanks
-
8. Re: Wildfly security domain doesn't flush roles after logout in a web application
jimarmol Apr 8, 2014 10:04 AM (in response to renannp)Hi renannp
I created a ticket for this : https://issues.jboss.org/browse/WFLY-3221. it would be a good idea if you add your comments to that ticket to see if it's assigned to a future version.
-
9. Re: Wildfly security domain doesn't flush roles after logout in a web application
yersan Apr 10, 2014 9:27 AM (in response to jimarmol)Hi all, maybe someone can be helped with this, as workaround we are cleaning the cache with this method in an EJB:
private void flushAuthenticationCache(String userid) {
try {
final String domain = "your-policy-name";
ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=" + domain);
Object[] params = {userid};
String[] signature = {"java.lang.String"};
MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
server.invoke(jaasMgr, "flushCache", params, signature);
} catch (MalformedObjectNameException | InstanceNotFoundException | MBeanException | ReflectionException ex) {
Logger.getLogger(LoginService.class.getName()).log(Level.SEVERE, null, ex);
throw new EJBException(ex);
}
}