1 Reply Latest reply on Jan 21, 2016 11:06 AM by hohmsen

    Picketbox 4.0.21 Final caching ?

    sergiu_pienar
    sergiu_pienar Sep 28, 2015 7:13 AM

      Using picketbox-4.0.21.Final that comes bundled with WildFly 8.2.0 Final. There is a security domain named ApplicationRealm, doing a DB based auth, as such:

       

      <security-domain name="ApplicationRealm" cache-type="default">
  <authentication>
  <login-module code="com.login.LoginModule" flag="required" module="org.jboss.login">
  <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
  <module-option name="hashAlgorithm" value="SHA"/>
  <module-option name="hashEncoding" value="BASE64"/>
  <module-option name="principalsQuery" value="SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname=? AND (u.status='active' OR u.status='system') AND u.clientId=c.clientId AND (c.status='active' OR c.status='system') AND (u.passwordExpireDate IS NULL OR u.passwordExpireDate &gt; now()) AND u.userId=ur.userId AND u.lockedStatus &lt;&gt;1 AND ur.roleId=20"/>
  <module-option name="rolesQuery" value="SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname=? AND u.userId=ur.userId AND u.clientId=ur.clientId AND ur.roleId=r.roleId AND r.roleId=rp.roleId AND rp.privilegeId=p.privilegeId"/>
  <module-option name="unauthenticatedIdentity" value="guest"/>
  </login-module>
  <login-module code="Remoting" flag="optional">
  <module-option name="password-stacking" value="useFirstPass"/>
  </login-module>
  </authentication>
</security-domain>

       

      From my app I can add/remove certain roles that will allow users to access or not certain components.
      The problem is that even though the app does update the roles/privileges in the DB picketbox fails to pick-up the new roles/privileges and does not grant the users the new roles/privileges until the server is restarted.

       

      I do suspect some form of caching that is doing this...


      Any ideas ?

      • 494 Views
      • Tags:
        • 1. Re: Picketbox 4.0.21 Final caching ?
          hohmsen
          hohmsen Jan 21, 2016 11:06 AM (in response to sergiu_pienar)

          This happens, because you set the cache-type to default: <security-domain name="ApplicationRealm" cache-type="default">

          The Server caches the query-results, so changes to the database will not be picked up.


          You can see that in the Logs with

                  <logger category="org.jboss.security">
                      <level name="TRACE"/>
                  </logger>

           

          Hitting the Cache looks like this in the logs:

          17:02:51,548 TRACE [org.jboss.security] (default task-11) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@586034f, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@10cdeafd

          17:02:51,548 TRACE [org.jboss.security] (default task-11) PBOX00204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@10cdeafd, credential class: class [C

          17:02:51,548 TRACE [org.jboss.security] (default task-11) PBOX00205: End validateCache, result = true

          17:02:51,548 TRACE [org.jboss.security] (default task-11) PBOX00201: End isValid, result = true

          17:02:51,564 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

           

          You can disable the cache by removing the cache-type="default" in the security-domain. Other alternative is to change the cache-type to infinispan, where you can set timeouts for the caching.

          Maybe there is a possibility to flush the cache manually, when you changed the roles in the database?

            • Actions