[jboss-jira] [JBoss JIRA] Commented: (JBAS-3976) Stateful Session Bean throws a Null Security Context exception with no login

Anil Saldhana (JIRA) jira-events at jboss.com
Wed Jan 10 17:16:26 EST 2007


    [ http://jira.jboss.com/jira/browse/JBAS-3976?page=comments#action_12350492 ] 
            
Anil Saldhana commented on JBAS-3976:
-------------------------------------

Fixed for JBoss-5.0.0.Beta2 with StatefulSessionSecurityInterceptor.java added to conf/standardjboss.xml

Need to do the same in 4.0 branches which will need testcases.

> Stateful Session Bean throws a Null Security Context exception with no login
> ----------------------------------------------------------------------------
>
>                 Key: JBAS-3976
>                 URL: http://jira.jboss.com/jira/browse/JBAS-3976
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.Beta1, JBossAS-4.0.5.GA
>            Reporter: Anil Saldhana
>         Assigned To: Anil Saldhana
>             Fix For: JBossAS-4.2.0.CR1, JBossAS-4.0.5.SP1 , JBossAS-5.0.0.Beta2
>
>
> Since the stateful session bean instance interceptor happens before the security interceptor (security exceptions need to invalidate the session), the call to set the principal on the enterprise context can fail when the bean was invoked with no login. Remember the getCallerPrincipal call on the context needs to always return a non-null principal.
> If the setting of the principal on the context happens after the security checks have been made via the security interceptor, there is security domain settings reflected via the unauthenticated principal setting on the domain into the principal to be set on the context.
> Of course the user can always specify the unauthenticated-principal tag in jboss-app.xml/jboss.xml DD but this should not be mandatory.
> There is a need for a new interceptor after the security interceptor.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the jboss-jira mailing list