Revoking users from a cache


In WAS, V5.0.2 and later, revocation of a user from the security cache using an MBean interface is supported.

When a user is removed from authentication cache, the user can still login to WAS at any time. Removing the cache only removes the user from the runtime cache. It does not remove the user from the registry, nor does it lock out the user.

  Use the following procedure in a JACL script.

The following Java Command Language (JACL) revokes a user when given the realm and the user ID, and cycles through all the security administration MBean instances that are returned for the entire cell when run from the deployment manager wsadmin command. The command also purges the user from the cache during each process.

In some of the following lines of code, the lines are split into two or more lines for illustrative purposes only.

proc clearAuthCache {realm userid} {   
global AdminControl AdminConfig    
if {[catch {$AdminControl queryNames WebSphere:type=SecurityAdmin,*}  result]} {       
    puts stdout "\$AdminControl queryNames WebSphere:type=SecurityAdmin,* caught             an exception $result\n" 
    return     
} 
else {    
    if {$result != {}} {        
        foreach secBean $result {            
            if {$secBean != {} || $secBean != "null"} {           
                if {[catch {$AdminControl invoke $secBean clearAuthCache} result]} { 
                    puts stdout "\$AdminControl invoke $secBean clearAuthCache caught an exception $result\n"                
                    return              
                } else 
                { 
                    puts stdout "\ncache cleared for process $secBean\n"              
                }            
            } else { 
                  puts stdout "unable to get securityAdmin Mbean, user $userid not revoked"           
            }
        }
    } else {     
        puts stdout "Security Mbean was not found\n"   
        return 
    }  
} 

 

Related tasks


Customizing a server-side Java Authentication and Authorization Service authentication and login configuration
Customizing application login with Java Authentication and Authorization Service