Wildfly在Web应用程序中注销后缓存角色

本文介绍了Wildfly在Web应用程序中注销后缓存角色的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain flushOnSessionInvalidation="true">my-aktion
</security-domain>
<valve>
    <class-name>utils.MyAuthenticator</class-name>
</valve>
</jboss-web>

standalone.xml

<security-domain name="my-aktion" cache-type="default">
                <authentication>
                    <login-module code="utils.MyAuthenticator" flag="required">
                        <module-option name="dsJndiName" value="java:jboss/datasources/MySQLDS"/>
                        <module-option name="principalsQuery" value="SELECT password FROM user WHERE username=?"/>
                        <module-option name="rolesQuery" value="SELECT r.role, 'Roles' FROM Role r INNER JOIN user u ON u.role_id = r.id WHERE u.username=?"/>
                        <module-option name="hashAlgorithm" value="SHA-256"/>
                        <module-option name="hashEncoding" value="base64"/>
                    </login-module>
                </authentication>
            </security-domain>

web.xml（摘录）

web.xml (extract)

<security-constraint>
    <web-resource-collection>
        <web-resource-name></web-resource-name>
        <url-pattern>/Profile/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>User</role-name>
        <role-name>Manager</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>my-aktion</realm-name>
    <form-login-config>
        <form-login-page>/Login/login.xhtml</form-login-page>
        <form-error-page>/Login/error.xhtml</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <role-name>User</role-name>
</security-role>
<security-role>
    <role-name>Manager</role-name>
</security-role>

LogoutServlet.java（doPost（...）相同）

LogoutServlet.java (same for doPost(...))

@WebServlet("/Login/logout.xhtml")
public final class LogoutServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

public LogoutServlet() {
    super();
}

protected void doGet(HttpServletRequest request,
        HttpServletResponse response) throws ServletException, IOException {
    response.setHeader("Cache-Control", "no-cache, no-store");

    response.setHeader("Pragma", "no-cache");

    response.setHeader("Expires", new java.util.Date().toString());
    if (request.getSession(false) != null) {

        request.getSession(false).invalidate();// remove session.

    }

//      if (request.getSession() != null) {
//
//          request.getSession().invalidate();// remove session.
//
//      }
    request.logout();
    response.sendRedirect(request.getContextPath());
}

我有一个自定义Authenticator，它扩展了DatabaseServerLoginModule并覆盖了createPasswordHash方法自己的安全性。

I have a custom Authenticator that extends the DatabaseServerLoginModule and overwrites the createPasswordHash method for its own security.

我的问题是，当我使用管理员角色登录并使用其他浏览器更改登录用户的角色时，它会缓存此角色用户。只有当我将用户注销并重新登录时，他才能访问管理员内容。我使用LogoutServlet注销。

My problem is that when I log in with a manager role and change the role of a logged-in user with another browser, it caches the role for this user. Only when I log the user out and back in again does he has no access to manager content. I use the LogoutServlet to log out.

我在servlet中尝试了各种更改，但它没有帮助。当我从wildfly中的standalone.xml中删除cache-type = default时，它可以正常工作，但是对于在侧面进行的每个操作，都会调用身份验证模块中的登录方法，这非常糟糕。

I tried various changes in the servlet but it does not help. When I remove "cache-type=default" from the standalone.xml in wildfly it works, but for every action made on the side the login method in the authentication module is called which is very bad.

在jboss-web.xml中，参数flushOnSessionInvalidation =true似乎是这个问题的正确答案，但它没有任何效果。感谢您的帮助！

In the jboss-web.xml the parameter flushOnSessionInvalidation="true" seems to be the right answer to this problem, but it has no effect. Thank you for any help!

推荐答案

这是一个计划在8.1中修复的wildfly 8.0.0中的错误。请参阅

This is a bug in wildfly 8.0.0 planned to be fixed in 8.1. see https://issues.jboss.org/browse/WFLY-3221

与此同时，您可以尝试使用此解决方法在会话超时或无效时清除特定用户的缓存。

In the meantime you can try this workaround to clear cache for a specific user when the session times out or it's invalidated.

创建会话侦听器并从sessionDestroyed调用该方法。

Create a Session listener and call the method from sessionDestroyed.

public void clearCache(String username){
try {

    ObjectName jaasMgr = new ObjectName("jboss.as:subsystem=security,security-domain=<YOUR SECURITY DOMAIN>" );
    Object[] params = {username};
    String[] signature = {"java.lang.String"};
    MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
    server.invoke(jaasMgr, "flushCache", params, signature);
} catch (Exception ex) {
    logger.warn(ex.getMessage());
}}

这篇关于Wildfly在Web应用程序中注销后缓存角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！