I believe I am seeing some caching of the identity claims in my application, which is using WSO2IS 5.3.0 . When an identity claim is changed via UserStoreManager.setUserClaimValues (for example, http://wso2.org/claims/identity/accountDisabled ) , it takes some time for that change to be reflected in subsequent calls to UserStoreManager.getUserClaimValues
I've searched for the configuration mentioned here https://docs.wso2.com/display/IS530/Configuring+Cache+Layers but don't see that in our setup. I'm also not seeing any other configuration that I could attribute to this behavior.
Looking for an explanation, thanks in advance.
Copying this out from my comment
For others' reference, the identity claims are managed by the configured IdentityUserStore, the configuration of which can be found by this line in conf/identity/identity-mgt.properties Identity.Mgt.User.Data.Store=org.wso2.carbon.identity.mgt.store.JDBCIdentityDataStore
(JDBCIdentityDataStore does do some amount of caching to prevent unnecessary DB hits, and does invalidate that cache upon writing)
Related
I'm writig a dApp using web3Modal and web3js libraries.
I have an issue regarding the WalletConnect provider.
Upon choosing to connect using WalletConnect, the QR code doesn't show up and I'm immeidatly connected to the previous (old local test network..) wallet.
I tried looking for an option in the WalletConnectProvider api and the web3js libraries, without success.
Openning the website in incognitio mode DOES work, but loading the page without using cache does not work (ctrl+shift+f5 on chrome), nor does disabling cache using html headers.
I'm not sure what am I missing, as it's clearly saved somewhere but not in the cache.
First you need to use connector.killSession() and then clear local storage.
Solution: clear local storage using localStorage.clear().
More granulaity should be possible if need be.
The WSO2 IS documentation reads:
"The claim dialects configured in /repository/conf/claim-config.xml file get applied only when you start the product for the first time, or for any newly created tenants. With the first startup, claim dialects and claims will be loaded from the file and persisted in the database. Any consecutive updates to the file will not be picked up and claim dialects and claims will be loaded from the database."
Does this mean claim-config.xml is a file to seed the database and is only run once? If it is only for seeding the database, that means the only way to update claims after the very first start of the server is to edit the database directly or update claims via the console, correct?
I'm trying to figure out the best way to update my claims for service providers in WSO2 IS.
I discovered that the claim-config.xml is only run once. After the database is seeded, the file is not read anymore. Subsequent changes to the claim configuration are written to the WSO2CARBON_DB file which is located at WSO2_INSTALL_LOCATION\repository\database
When WSO2 IS starts in the first time, or when creating a new tenant It reads the claim-config.xml file and populates the claims into the database. Then you can manage the claims as below methods,
From management console. Please refer the documentation [1] for more
details.
Using ClaimMetadataManagementService. Please refer the
documentation [2] for more details.
[1] https://docs.wso2.com/display/IS570/Configuring+Claims
[2] https://docs.wso2.com/display/IS570/Managing+Claims+with+APIs
I created a API Connect project with command
apic loopback
When I try to launch the API designer, I receive error as below:
sdil#sdil-VirtualBox:~/Project/test-apic/todo4$ apic edit
The user model "User" is attached to an application that does not specify
whether other sessions should be invalidated when a password or
an email has changed. Session invalidation is important for security
reasons as it allows users to recover from various account breach
situations.
We recommend turning this feature on by setting
"logoutSessionsOnSensitiveChanges" to true in
server/config.json (unless you have implemented your own solution
for token invalidation).
We also recommend enabling "injectOptionsFromRemoteContext" in
User's settings (typically via common/models/*.json file).
This setting is required for the invalidation algorithm to keep
the current session valid.
Learn more in our documentation at
https://loopback.io/doc/en/lb2/AccessToken-invalidation.html
Error: loopback.errorHandler is no longer available. Please use the module "strong-error-handler" instead.
When I check for declaration in package.json, I did see strong-error-handler written.
"dependencies": {
...
"strong-error-handler": "^2.0.0",
}
How do i fix this to make API Designer running?
I sort of recognize this problem, actually. We had the new strong-error-handler but also the old one active.
Do the steps in "Migration from old LoopBack error handler" here:
https://loopback.io/doc/en/lb3/Using-strong-error-handler.html#migration-from-old-loopback-error-handler
Should eliminate the old one completely.
After adding a new policy and disabling an outdated policy at the PDP console, an action that displays correctly at the PDP Policy view, the connected PDP process using a Java client did not reflect the logic added by the new policy, still acting according to the older, disabled rules. We also tried to run "Clear Decision Cache" and" Clear Attribute Cache" widgets at the PDP Extension screen, and the PEP is still showing the same issue.
A graceful restart of the WSO2 did solve the error. The server is running WSO2 5.1 release. From an operational standpoint, the restart command is a rather disruptive action and should be avoided.
Are further configuration, or command options available at the WSO2 IS package to drop cache and dynamically refresh an active policy without causing disruption of ongoing services?
This is already tested and working scenario in 5.1.0.
As I understood, you wanted to edit a policy and should reflect that changes after you publish that new policy without doing any other operation, right ? Yes, when you publish a same policy again with new changes, it will replace the new policy in DB and cache in cluster as well. It should reflect at that time.
Actually the scenario described by Harsha is not the same as the one Claude asked. Changing the policy and publishing might work. But disabling or even deleting a policy from the PDP does not become effective unless the server is restarted.
There is a new ticket in jira:
Disabling/Deleting Policy from PDP Configuration does not work
I've deployed a copy of opserver, and it is working perfectly when using alladmin as the security setting. However, once I switch it to ad and configure the groups, the SQL tab goes away and I get an access denied message if I try browsing directly to it. The dashboard still displays all Solar Winds data as expected.
The build I'm using is actually from November. I tried a more recent build, but I lose the network information from Solar Winds (the CPU and Mem graphs show, but Net is all blank)
Is there a separate place to configure the SQL permissions that I'm missing?
I think perhaps there was some caching going on for the hub that wasn't happening for the provider, because they are both working now. Since it was a new security group, perhaps it hadn't replicated yet (causing the SQL auth to fail) but the dashboard provider was still using the previous authentication?
I also did discover a neat option while researching this though - the GitHub page mentions that you can also specify security at a provider level in the JSON using the AdminGroups and ViewGroups properties!