[jboss-jira] [JBoss JIRA] Commented: (JBAS-3976) Stateful Session Bean throws a Null Security Context exception with no login

Stateful Session Bean throws a Null Security Context exception with no login ---------------------------------------------------------------------------- Key: JBAS-3976 URL: http://jira.jboss.com/jira/browse/JBAS-3976 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Security Affects Versions: JBossAS-5.0.0.Beta1, JBossAS-4.0.5.GA Reporter: Anil Saldhana Assigned To: Anil Saldhana Fix For: JBossAS-4.2.0.CR1, JBossAS-4.0.5.SP1 , JBossAS-5.0.0.Beta2 Since the stateful session bean instance interceptor happens before the security interceptor (security exceptions need to invalidate the session), the call to set the principal on the enterprise context can fail when the bean was invoked with no login. Remember the getCallerPrincipal call on the context needs to always return a non-null principal. If the setting of the principal on the context happens after the security checks have been made via the security interceptor, there is security domain settings reflected via the unauthenticated principal setting on the domain into the principal to be set on the context. Of course the user can always specify the unauthenticated-principal tag in jboss-app.xml/jboss.xml DD but this should not be mandatory. There is a need for a new interceptor after the security interceptor.