[jboss-jira] [JBoss JIRA] Commented: (JBAS-5995) Jaas multiple login failure (ClientLoginModule)
Karl Traunmueller (JIRA)
jira-events at lists.jboss.org
Mon Apr 27 16:09:46 EDT 2009
[ https://jira.jboss.org/jira/browse/JBAS-5995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12464694#action_12464694 ]
Karl Traunmueller commented on JBAS-5995:
-----------------------------------------
I have created the simplest test scenario and attached a zip file with 4 Eclipse projects:
- jbas-5995-client: client jar project, contains remote EJB interface
- jbas-5995-ear: ear project for easy deployment with JBDS 2.0
- jbas-5995-ejb: ejb jar project, goes into ear
- jbas-5995-test: test (standalone) client
The client that does a login with one user, calls an SLSB method, logs out, logs in under a different user, and calls another bean method:
public static void main(String[] args) {
SampleStateless sample = null;
try {
Context context = new InitialContext();
sample = (SampleStateless) context
.lookup("jbas-5995-ear/SampleStatelessBean/remote");
} catch (NamingException e) {
e.printStackTrace();
}
SecurityClient client = login("user1", "pass1");
sample.bar();
client.logout();
client = login("user2", "pass2");
sample.foo();
client.logout();
}
private static SecurityClient login(String username, String password) {
try {
SecurityClient securityClient = SecurityClientFactory
.getSecurityClient();
securityClient.setSimple(username, password);
System.out.println("logging in as " + username);
securityClient.login();
return securityClient;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
JBoss outputs:
...
22:02:21,348 INFO [STDOUT] bar() called by user1
22:02:21,371 INFO [STDOUT] foo() called by user1
...
which should demonstrate the issue, I hope.
regards,
Karl
> Jaas multiple login failure (ClientLoginModule)
> -----------------------------------------------
>
> Key: JBAS-5995
> URL: https://jira.jboss.org/jira/browse/JBAS-5995
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-5.0.0.CR2
> Reporter: Thomas Gueze
> Assignee: Anil Saldhana
>
> As explained in the forum :
> I have an ear deployed on Jboss 5 CR2.
> J perform Jaas authentification with a Jaas login module on client side and use the ClientLoginModule to propagate the user on the server side (so specified in the jaas config file).
> On the bean, I retrieve the caller principal name with a lookup on the EJBContext :
> final Object o = new InitialContext().lookup("java:comp/EJBContext");
> final Class< ? > ejbContextClass = Class.forName("javax.ejb.EJBContext");
> final Method getCallerPrincipalMethod = ejbContextClass.getMethod("getCallerPrincipal");
> final Principal principal = (Principal) getCallerPrincipalMethod.invoke(o);
> final String callerId = principal.getName();
> The case is :
> A user log in, perform some operations on the bean (He's also the first bean caller), the callerId corresponding.
> Then this user log out and another user log in successfully (the login modules committed).
> He perform operations on the bean, and the callerId correspond to the precedent user.
> I've tried to set the DefaultCacheTimeout to 0 and set the different jaas ClientLoginModule options (especially multi-threaded to true), but It didn't solve the problem.
> Use the SecurityAssociation API is a work around possible (work in my case, but cannot use it), but it's an internal API (can change), right?
> Apparently, there is also an issue with JndiLoginInitialContextFactory (explain in the forum), but I don't know if it's related.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list