[jboss-jira] [JBoss JIRA] Commented: (JBAS-5995) Jaas multiple login failure (ClientLoginModule)

Karl Traunmueller (JIRA) jira-events at lists.jboss.org
Mon Apr 27 16:15:48 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-5995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12464699#action_12464699 ] 

Karl Traunmueller commented on JBAS-5995:
-----------------------------------------

To get the sample running, you need to copy the jbas-5995-roles.properties and jbas-5995-users.properties into server/default/conf/props folder, and add the following to login-config.xml:

<application-policy name="JBAS5995Realm">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
				flag="required">
				<module-option name="usersProperties">props/jbas-5995-users.properties</module-option>
				<module-option name="rolesProperties">props/jbas-5995-roles.properties</module-option>
			</login-module>
		</authentication>
	</application-policy>

The "jboss-5.0.0.GA client libraries" User Library that is referenced by the jbas-5995-test project is a user library that simply contains all jars from the jboss-5.0.0.GA/client folder.

> Jaas multiple login failure (ClientLoginModule)
> -----------------------------------------------
>
>                 Key: JBAS-5995
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5995
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.CR2
>            Reporter: Thomas Gueze
>            Assignee: Anil Saldhana
>         Attachments: jbas-5995.zip
>
>
> As explained in the forum :
> I have an ear deployed on Jboss 5 CR2.
> J perform Jaas authentification with a Jaas login module on client side and use the ClientLoginModule to propagate the user on the server side (so specified in the jaas config file).
> On the bean, I retrieve the caller principal name with a lookup on the EJBContext :
> final Object o = new InitialContext().lookup("java:comp/EJBContext");
> final Class< ? > ejbContextClass = Class.forName("javax.ejb.EJBContext");
> final Method getCallerPrincipalMethod = ejbContextClass.getMethod("getCallerPrincipal");
> final Principal principal = (Principal) getCallerPrincipalMethod.invoke(o);
> final String callerId = principal.getName();
> The case is :
> A user log in, perform some operations on the bean (He's also the first bean caller), the callerId corresponding.
> Then this user log out and another user log in successfully (the login modules committed).
> He perform operations on the bean, and the callerId correspond to the precedent user.
> I've tried to set the DefaultCacheTimeout to 0 and set the different jaas ClientLoginModule options (especially multi-threaded to true), but It didn't solve the problem.
> Use the SecurityAssociation API is a work around possible (work in my case, but cannot use it), but it's an internal API (can change), right?
> Apparently, there is also an issue with JndiLoginInitialContextFactory (explain in the forum), but I don't know if it's related.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list