The JaasSecurityManagerService caches authentication results to avoid constant access of the security store associated with login modules. The default cache policy is a time based policy that is controlled by the DefaultCacheTimeout attribute.

Additional information on the JaasSecurityManagerService can be found in the free online admin guide.

Disabling Caching

To disable caching you need to set the DefaultCacheTimeout to 0:

   <!-- JAAS security manager and realm mapping -->
   <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
      name="jboss.security:service=JaasSecurityManager">
      <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
      <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
      <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
      in seconds.
      If you want to disable caching of security credentials, set this to 0 to
      force authentication to occur every time. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheTimeout">0</attribute>
      <!-- DefaultCacheResolution: Specifies the default timed cache policy
      resolution in seconds. This controls the interval at which the cache
      current timestamp is updated and should be less than the DefaultCacheTimeout
      in order for the timeout to be meaningful. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheResolution">60</attribute>
   </mbean>

Flush the Credential Cache

The cache maintained by a JaasSecurityManager can be flushed through the JaasSecurityManagerService through the jmx-console/web-console or programatically via JMX.

Flushing via JMX Console

The JaasSecurityManagerService has two operations that allow one to flush either the entire credential cache for a given security domain, or just a single user from a given security domain. They are the flushAuthenticationCache(java.lang.String) and flushAuthenticationCache(java.lang.String, java.security.Principal) operations in the JaasSecurityManagerService. The JaasSecurityManagerService is registered under the name jboss.security:service=JaasSecurityManager by default.

To flush the credential cache for the java:/jaas/jmx-console security manager, you would enter jmx-console for the domain name. To flush the principal named javaduke from the java:/jaas/jmx-console security manager cache you would enter jmx-console for the domain name and the string javaduke for the principal. This will be converted to a java.security.Principal by the jmx-console.

Programatic Flushing via JMX

Flush all cached entries in the given domain using the JaasSecurityManagerService mbean registered under "jboss.security:service=JaasSecurityManager":

import javax.management.MBeanServer;
import javax.management.MBeanServerFactory;
import javax.management.ObjectName;

 String domain = "jmx-console";
 ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
 Object[] params = {domain};
 String[] signature = {"java.lang.String"};
 MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
 server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

Flush a specific cached entry for the given domain + principal using the JaasSecurityManagerService mbean registered under "jboss.security:service=JaasSecurityManager":

import java.security.Principal;
import javax.management.MBeanServer;
import javax.management.MBeanServerFactory;
import javax.management.ObjectName;
import org.jboss.security.SimplePrincipal;

 String domain = "jmx-console";
 Principal user = new SimplePrincipal("javaduke");
 ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
 Object[] params = {domain, user};
 String[] signature = {"java.lang.String", Principal.class.getName()};
 MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
 server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

Flushing the Cache on Web Session Invalidation

New in jboss-4.0.1RC1, jboss-3.2.7RC1 is the ability to synchronize a flush of the JAAS authentication cache on session invalidation (However reverse is not true that is if you flush cache, current session should not be invalidated). The jboss-web.xml security-domain element now supports a flushOnSessionInvalidation boolean attribute that when true, will flush the security-domain JAAS authentication cache for the associated user principal. An example jboss-web.xml from the testsuite is:

<jboss-web>
   <!-- Specify the security domain for authentication/authorization and
   require that the domain's cache be flushed when the session invalidates.
   -->
   <security-domain flushOnSessionInvalidation="true">
       java:/jaas/jbossweb-form-auth
  </security-domain>
</jboss-web>

Referenced by: