jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain flushOnSessionInvalidation="true">my-aktion </security-domain> <valve> <class-name>utils.MyAuthenticator</class-name> </valve> </jboss-web>
standalone.xml
<security-domain name="my-aktion" cache-type="default"> <authentication> <login-module code="utils.MyAuthenticator" flag="required"> <module-option name="dsJndiName" value="java:jboss/datasources/MySQLDS"/> <module-option name="principalsQuery" value="SELECT password FROM user WHERE username=?"/> <module-option name="rolesQuery" value="SELECT r.role, 'Roles' FROM Role r INNER JOIN user u ON u.role_id = r.id WHERE u.username=?"/> <module-option name="hashAlgorithm" value="SHA-256"/> <module-option name="hashEncoding" value="base64"/> </login-module> </authentication> </security-domain>
web.xml (extract)
<security-constraint> <web-resource-collection> <web-resource-name></web-resource-name> <url-pattern>/Profile/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>User</role-name> <role-name>Manager</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>my-aktion</realm-name> <form-login-config> <form-login-page>/Login/login.xhtml</form-login-page> <form-error-page>/Login/error.xhtml</form-error-page> </form-login-config> </login-config> <security-role> <role-name>User</role-name> </security-role> <security-role> <role-name>Manager</role-name> </security-role>
LogoutServlet.java (same for doPost (...))
@WebServlet("/Login/logout.xhtml") public final class LogoutServlet extends HttpServlet { private static final long serialVersionUID = 1L; public LogoutServlet() { super(); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setHeader("Cache-Control", "no-cache, no-store"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", new java.util.Date().toString()); if (request.getSession(false) != null) { request.getSession(false).invalidate();
I have my own authenticator that extends DatabaseServerLoginModule and overwrites the createPasswordHash method for my own security.
My problem is that when I log in with the manager role and change the role of the registered user with a different browser, it caches the role of this user. Only when I register the user and vice versa, he does not have access to the contents of the manager. I am using LogoutServlet to log out.
I tried various changes in the servlet, but that does not help. When I remove "cache-type = default" from standalone.xml in wildfly, it works, but for every action taken from the side, the authentication module login method is called, which is very bad.
In jboss-web.xml, the flushOnSessionInvalidation = "true" parameter seems to be the correct answer to this problem, but it has no effect. Thanks for any help!