[jboss-dev-forums] [JMX Development] - security context issue with RMIAdaptor

Hi JBoss developers, I'm trying to get user groups info in the mbean code w/ JBoss app server version 5.1.0 GA. After some try and error, this info is available through 'SecurityAssociation.getSubject()' and/or 'SecurityContextAssociation.getSecurityContext()'. If invoke mbean via jmx-console (the web UI), it works fine. But if invoke via RMIAdaptor with AuthenticationInterceptor enabled (following instruction at http://www.jboss.org/community/wiki/SecureTheInvokers), then 'SecurityAssociation.getSubject()' returns null, and 'SecurityContextAssociation.getSecurityContext()' returns the security context with securityDomain=other, the expected is securityDomain=jmx-console. Noticed thtat SecurityAssociation.getPricipal()/getCredential() still returns correct username and password. After debugging, found that AuthenticationInterceptor.invoke() set the right security context before invoking, but InvokerAdaptorService.invoke() (down the interceptor chain) set the security context to the default security domain. Is this a bug or there's some reason for this? Here's the related code in InvokerAdaptorService.invoke() line 228 // Invoke the MBeanServer method via reflection Method method = invocation.getMethod(); Object[] args = invocation.getArguments(); Principal principal = invocation.getPrincipal(); Object credential = invocation.getCredential(); Object value = null; SecurityContext sc = SecurityActions.createSecurityContext(SecurityConstants.DEFAULT_APPLICATION_POLICY); SecurityActions.setSecurityContext(sc); // Associate the method SecurityActions.pushSubjectContext(principal, credential, null); Note that it always use default security domain, and pass null as subject to the SecurityActions.pushSubjectContext() call. Thanks you so much! View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4270310#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...