[jboss-user] [Security & JAAS/JBoss] - JAAS multi-threaded=true causing SecurityException principal

[sdegenaar]

We have setup a seperate tomcat installation (tried with both 5.5.9 and the latest 5.5.17) talking to jboss 4.0.2 (also tried 4.0.4). We are using JAAS authentication with a custom login module authenticating against Active Directory. We are chaining authentication using the org.jboss.security.ClientLoginModule required attribute in the tomcat login.conf. We also have the attributes set for password-stacking  = "useFirstPass"; This all works perfect if we use multi-threaded=false. Pretty much single user access. If we set this to true we have very intermident results. Sometimes it works fine, then you will get SecurityExcpetion: Insufficient method permissions, principal=null. Refresh a few times and it seems to find the principal again. I have seemed to reproduce it failing everytime by calling a secured session bean method from a jsp page multiple times and doing a refresh halfway through. This will always cause it to get the Security exception. Hit the refresh a few more times and it seems to find it again. Very strange behaviour. This is possibly happening in our production system as we are using struts. Possibly it is failing a similar way in that it is calling an action and then redirecting...... I have tried many things but am lost for ideas. Has anyone seen anything like this or have any ideas...

Much appreciated,
cheers!

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964294#3964294

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964294