IBM Support

How to programmatically clear the WebSphere Application Server security cache

Troubleshooting


Problem

For example if a J2EE™ web application that administers user-to-group (UTG) affiliation called UTG. With an LDAP group called "info" that user "A" was just added to via UTG:

  1. User "A" then authenticates and accesses the J2EE web application "EasyAdmin" that uses J2EE declarative security.
  2. Once user "A" attempts to access any of the contract links, which are available only to users of the "info" group - User "A" receives a 403 Forbidden error.
    Note: This is because the authenticated user in the AuthCache for User "A" does not yet contain the "info" group.
  3. After about 10 minutes, of inactivity for User "A". User "A" is then able to successfully access the contract links since User "A" is no longer in the cache an a re-authentication occurs causing the correct list of groups to be added to the authenticated Subject.

Cause

There is no obvious way to clear the WebSphere® Application Server security cache, so that you do not have to wait for the cacheTimeout to expire.

Resolving The Problem

The suggested solution is to use the SecurityAdmin MBean clearAuthCache. The SecurityAdmin MBean has two methods related to cleaning entries from the AuthCache:

/**
 * clearAuthCache
 */
public void clearAuthCache()
 /**
 * purgeUserFromCache
 */
public void purgeUserFromAuthCache(String realm, String userid)

Note: You need to call this MBean method on each WebSphere Application Server process (not just the DMGR) that needs the user's Subject to be cleared from the cache. The AuthCache is a per-process cache so any process that "User A" has authenticated to needs to have this method called.

The following is a two line example using wsadmin to call on the dmgr process the clearAuthCache:
set sa [$AdminControl queryNames type=SecurityAdmin,process=dmgr,*]
$AdminControl invoke $sa clearAuthCache

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0;7.0","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS7JFU","label":"WebSphere Application Server - Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
22 October 2018

UID

swg21223769

Page Feedback