The JIRA issue is this:
Need a way to support refreshing security roles within a session
Well, no solution yet for the JBoss 4.2.x series (and for 3.2.x and 4.0.x series also).
But the simplest workaround is to do a full security check (authentication and authorization with each call). This was done anyway by default, except that the Jaas Security Cache in JBoss was pulling the subject out of the cache rather than go through the Jaas authentication process with each call.
Given this, there are 2 steps to perform for the workaround:
1) Disable Jaas Security Cache
- Go to conf/jboss-service.xml and set the "DefaultCacheTimeout" to zero.
2) Disable Tomcat caching the principal as part of the session.
NOTE: This is a very important step. If you do not follow it correctly, you will see bad behavior and may lose hair.
Now you will need to figure out, what kind of auth method is used in your web application. How will you know? Look in the web.xml of your web application.
If it is BASIC as in,
<realm-name>JBoss JMX Console</realm-name>
then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember
If it is FORM based login, as in
then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember,
Similarly, if it is Client-cert, just replace FormAuthenticator with SSLAuthenticator.
Inform me if this does not work. I have done some basic testing with BASIC type of auth.
Motivation for the workaround:
For the web layer, the container security checks happen at the time of the user login. Once his auth and authorization checks are done, they are valid for the entire session. Now for custom requirements such as the roles being refreshed at arbitrary times during the session, there is no decent way of solving it other than
the aforementioned work around. The complexity does arise due to the way tomcat caches principal during the session.