Refresh of cached credential information

Some user registries maintain cached information. Cached data is kept for a specific amount of time, and is then discarded. After the cached data has expired, it is not reloaded into the cache until the next time the user registry is accessed. Therefore, when changes are made to user registry data, the data is not immediately cached in memory. Likewise, when using a replicated LDAP user registry, the updates to the replicated registries do not occur immediately.

The default lifetime of data in the WebSEAL user cache is 30 seconds. This lifetime begins when the data first enters the cache, such as when a user first authenticates, or when the cached data has expired and WebSEAL contacts the registry to update the data. WebSEAL contacts the registry to update the data during a credential refresh event. The cached information is valid for 30 seconds after it is first obtained from the registry. After 30 seconds, any credential refresh operations go directly to the user registry. The access to the user registry also causes the user data to be reloaded into the cache.

The following example shows the algorithm for updating the user cache:

  1. The user authenticates at time auth_time.
  2. The user is added to a group at time auth_time + 120 seconds
  3. The user's credential is refreshed at time auth_time + 130 seconds

    Because the user cache data expired at time auth_time + 30 seconds, the new group membership will be added to the user's credential.

  4. User is then added to another group at time auth_time + 135 seconds
  5. User's credential is refreshed at time auth_time + 140 seconds

When the user credential is refreshed at auth_time + 140 seconds, it does not pick up the new group membership. This is because the user credential is built off cached user data when the cached user data is considered valid (has not expired). Because the user cache data was updated at time auth_time + 130 seconds, it is not scheduled to be updated until auth_time + 160 seconds. Therefore, the administrator must wait until time auth_time + 160 seconds to run the refresh command. At that time, the user credential will pick up the new group memberships.

Parent topic: Credential refresh concepts