[jboss-jira] [JBoss JIRA] Commented: (JBAS-4317) Security Context over the invocation

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Fri Apr 27 10:26:40 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-4317?page=comments#action_12360717 ] 
            
Anil Saldhana commented on JBAS-4317:
-------------------------------------

Thomas, the security context either comes over the wire (remote calls) or comes from the thread local (Local EJB invocations).  So where-ever the Invocation object is created on the server side, the security context needs to be set on the Invocation object.  The IllegalStateException thrown in the containers was one way of validating that whoever was creating the Invocation object has set the security context (just the way they would have done with .setPrincipal, setCredential etc).

The primary issue is that there are various integration layers constructing the Invocation object rather than a central place.  Some of the examples where the Invocation object is created on the server side include the BaseLocalProxyFactory, ProxyFinderFactory, CMPFieldBridgexxxx.

So I will need to revert back the IllegalStateException  and need your stack trace so that I can understand where your Invocation is being created.

Once the containers have established that the invocation does contain a security context, they set it on the thread local so that the JACC PolicyContext  get Subject call always takes care of the RunAsIdentity that came into the specific container.

> Security Context over the invocation
> ------------------------------------
>
>                 Key: JBAS-4317
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4317
>             Project: JBoss Application Server
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.Beta2
>            Reporter: Anil Saldhana
>         Assigned To: Anil Saldhana
>             Fix For:  JBossAS-5.0.0.Beta3
>
>
> Need to move away from the SecurityAssociation usage to incorporate Security Context over the invocation.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list