[jboss-dev-forums] [Design of JBoss/Tomcat Integration] - Re: org.jboss.web.tomcat.security.RunAsListener

anil.saldhana@jboss.com do-not-reply at jboss.com
Thu Apr 19 22:32:47 EDT 2007 

I am seeing an issue that is a bit perplexing. I do not know how it was working before in JBoss4.

Here is the use case:
Testcase: org.jboss.test.web.test.WebIntegrationUnitTestCase
Scenarios: testUnsecureRunAsServlet, testUnsecureRunAsServletWithPrincipalName,testUnsecureRunAsServletWithPrincipalNameAndRoles

In my current pass at JBoss5, I am making use of a single threadlocal to contain the security context with push/pop mechanism.


  | Servlet: RunAsServlet
  | 
  | init()
  | {
  |   //I have a run-as defined, I am going to call a secure ejb
  | }
  | 
  | service()
  | {
  |   //I am going to call a secure ejb. run-as will be propagated
  | }
  | 

In my sequence of calls, JaccContextValve which is set at the host level, establishes the security context on the thread local. After this, the SecurityAssociationValve will push the current run-as on to the established security context.

When the servlet is loaded, the init() method is preceded by an InstanceEvent("before_init") which will invoke the RunAsListener. I push the runas on to the security context. After the init method, there is an event for "after_init", which would pop the run as from the security context. So things work fine for the init() method secure ejb call.

There are issues from the service() method call in the servlet onto secure ejbs.  The sequence of events are as follows for the service():

  | JaccContextValve - set the security context
  | SecurityAssociationValve - push run as
  | load the servlet
  | instanceevent:before-init - push run as
  | init()
  | instanceevent:after-init - pop run as
  | 
  | At this time my thread local is devoid of any run as
  | 
  | instanceevent:before_filter
  | instanceevent:after_filter
  | instanceevent:before_service
  | service()
  | instanceevent:after_service
  | 

As you can see, there is no passage of the request through the valve chain between invocation of the init() and service() methods. I think this is the right sequence.

I can solve this usecase by adding push/pop of run as in the RunAsListener for InstanceEvent(before_service) and InstanceEvent(after_service).

Thoughts/suggestions?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039113#4039113

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039113

More information about the jboss-dev-forums mailing list