<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBossCachedAuthenticationManager caching and JAAS modules returning different Principal
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/robmv">Robert Marcano</a> in <i>PicketBox Development</i> - <a href="https://community.jboss.org/message/744109#744109">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>I have been trying to run two applications with EJB remoting on JBoss 7.1.x. My main problem is that currently JBoss only allows one authentication method by remoting port (one realm per port) and the EJB3 subsystem only allows one remoting port. To overcome this limitation, after a few chats on IRC, I decided to implement a realm plugin to do the remoting authentication, overriding the concept of the remote client user name to contain the application name (application name + real user name).</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I managed to make this work, with a subclass of RemotingLoginModule I remove the application name in order to not expose the application name when EJBs call ctx.getCallerPrincipal().getName() (changing the CallerPrincipal to be my new principal and not the one from the remoting subsystem)</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Now about picketbox, JBossCachedAuthenticationManager caches the authentication information using as a key the CallerPrincipal that the JAAS module returns, but uses another principal that exists before the authentication to check if the cache is valid. The problem is that when the JAAS module returns a different principal, the cache always misses. let me explain with a little pseudo code</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>--- 1st call</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>cached = domainCache.get(<Principal app + userName>)</p><p>if (cached != null) {</p><p>     authenticate();</p><p>     info.callerPrincipal = <Principal userName>;</p><p>     domainCache.put(info.callerPrincipal, info);</p><p>}</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>--- 2nd call</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>cached = domainCache.get(<Principal app + userName>)</p><p>... cache misses ... cached is null</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The domainCache keys are the caller principal from the JAAS module, but when checking if the cache contains an entry, it uses the original principal. There is an assumption that the caller principal is the same or equals to the original principal, and I think that is wrong. I patched it in order to test my hipotessis so it stores as key the original principal, disabling tests because it fails because it is testing that the caller principal is what is stored, and this way caching works.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I know my test patch is not the right solution, because it break JBossCachedAuthenticationManager API (containsKey, getCachedKeys, flushCache...), Am I right this is a problem or is there a better way to do this?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The patch is simple, instead of calling</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>     domainCache.put(info.callerPrincipal, info);</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>use</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>     domainCache.put(principal, info);</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/744109#744109">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in PicketBox Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>