[jboss-user] [Security & JAAS/JBoss] - Re: Authentification problems in Jboss 5
karltraunmueller
do-not-reply at jboss.com
Wed Apr 8 01:54:17 EDT 2009
Hi all,
we have also experienced these problems - the Principal associated with Stateless session beans seemed to be randomly wrong.
I think the problem is in org.jboss.ejb3.EJBContextImpl.getCallerPrincipal:
| public Principal getCallerPrincipal()
| {
| if(beanPrincipal == null)
| {
| EJBContainer ec = (EJBContainer) container;
| SecurityDomain domain = ec.getAnnotation(SecurityDomain.class);
| Principal callerPrincipal = ejbContextHelper.getCallerPrincipal(
| SecurityActions.getSecurityContext(),
| rm, domain);
|
| // This method never returns null.
| if (callerPrincipal == null)
| throw new java.lang.IllegalStateException("No valid security
| context for the caller identity");
|
| beanPrincipal = callerPrincipal;
| }
| return beanPrincipal;
| }
|
The beanPrincipal associated with the SLSB is lazy initialized, but never reset thereafter.
So, once the SLSB goes back into the pool (after a first invocation), and is later reused for another invocation, the prinicipal isn't correctly reassociated with the current principal - the principal from the first call is still there.
The problem is still present in JBoss 5.0.0.GA, JBAS-5995 is still open.
Can anyone comment on this?
regards,
Karl
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4224231#4224231
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4224231
More information about the jboss-user
mailing list