[jboss-jira] [JBoss JIRA] Created: (JBAS-3976) Stateful Session Bean throws a Null Security Context exception with no login

[Anil Saldhana (JIRA)]

Stateful Session Bean throws a Null Security Context exception with no login
----------------------------------------------------------------------------

                 Key: JBAS-3976
                 URL: http://jira.jboss.com/jira/browse/JBAS-3976
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-5.0.0.Beta1, JBossAS-4.0.5.GA
            Reporter: Anil Saldhana
         Assigned To: Anil Saldhana
             Fix For: JBossAS-5.0.0.Beta2, JBossAS-4.2.0.CR1, JBossAS-4.0.5.SP1 


Since the stateful session bean instance interceptor happens before the security interceptor (security exceptions need to invalidate the session), the call to set the principal on the enterprise context can fail when the bean was invoked with no login. Remember the getCallerPrincipal call on the context needs to always return a non-null principal.

If the setting of the principal on the context happens after the security checks have been made via the security interceptor, there is security domain settings reflected via the unauthenticated principal setting on the domain into the principal to be set on the context.

Of course the user can always specify the unauthenticated-principal tag in jboss-app.xml/jboss.xml DD but this should not be mandatory.

There is a need for a new interceptor after the security interceptor.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira