[jboss-jira] [JBoss JIRA] Created: (JBAS-3388) EJB Remote Handle stored in HTTP session or serialized loses SecurityAssociation

warren crossing (JIRA) jira-events at jboss.com
Wed Jul 12 22:31:15 EDT 2006 

EJB Remote Handle stored in HTTP session or serialized loses SecurityAssociation
--------------------------------------------------------------------------------

                 Key: JBAS-3388
                 URL: http://jira.jboss.com/jira/browse/JBAS-3388
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: EJB3, Naming, Security
    Affects Versions: JBossAS-4.0.4.GA
         Environment: Linux splice 2.6.16-rc4 #9 PREEMPT Thu May 4 11:30:04 NZST 2006 i686 GNU/Linux
java version "1.6.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-beta-b59g)
Java HotSpot(TM) Client VM (build 1.6.0-beta-b59g, mixed mode, sharing)
Release ID: JBoss [Zion] 4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)

            Reporter: warren crossing
         Assigned To: Bill Burke


After looking up home using JndiLogincontextFactory the jboss securityassociation is stored in the threadlocal.
So if we persist the handle and then retrieve it,  or access it in another thread the security infomation is lost.
How to get the EJBObject in a secure way

first accessed by: kermit
12:00:37,427 INFO  [STDOUT] 0
second access gives 
12:00:38,645 ERROR [STDERR] java.rmi.AccessException: SecurityException; nested exception is: 
        java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=SessionSecurityBean, method=getEJBObject, interface=HOME, requiredRoles=[basic], principalRoles=[]

Even if we <unchecked/> getEJBObject the security information is lost and subsequent bean members are executed in a undefined security context.

The only work around I have is to lookup the HOME first. This sets the threads SecurityAssociation again.

Shouldn't the Remote stub or Handle contain a clone or something to automatically reconstruct the SecurityAssociation, and what are the implications on security if I leave a preauthenticated handle lying around somewhere. I dont think the J2EE spec doesn't cover this aspect of security.

I have worked on a testcase ant build file and all, please email me for it. warren.crossing at nec.com.au.

Thanks.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list