[jboss-jira] [JBoss JIRA] Commented: (JBAS-5995) Jaas multiple login failure (ClientLoginModule)

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Oct 9 13:39:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/JBAS-5995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12433281#action_12433281 ] 

Anil Saldhana commented on JBAS-5995:
-------------------------------------

Why not do?
http://java.sun.com/javaee/5/docs/api/javax/ejb/EJBContext.html#getCallerPrincipal()

ejbContext.getCallerPrincipal.  You are doing some jndi lookup.

If you can create a test case plus test deployment, we can take a look.

> Jaas multiple login failure (ClientLoginModule)
> -----------------------------------------------
>
>                 Key: JBAS-5995
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5995
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.CR2
>            Reporter: Thomas Gueze
>            Assignee: Anil Saldhana
>
> As explained in the forum :
> I have an ear deployed on Jboss 5 CR2.
> J perform Jaas authentification with a Jaas login module on client side and use the ClientLoginModule to propagate the user on the server side (so specified in the jaas config file).
> On the bean, I retrieve the caller principal name with a lookup on the EJBContext :
> final Object o = new InitialContext().lookup("java:comp/EJBContext");
> final Class< ? > ejbContextClass = Class.forName("javax.ejb.EJBContext");
> final Method getCallerPrincipalMethod = ejbContextClass.getMethod("getCallerPrincipal");
> final Principal principal = (Principal) getCallerPrincipalMethod.invoke(o);
> final String callerId = principal.getName();
> The case is :
> A user log in, perform some operations on the bean (He's also the first bean caller), the callerId corresponding.
> Then this user log out and another user log in successfully (the login modules committed).
> He perform operations on the bean, and the callerId correspond to the precedent user.
> I've tried to set the DefaultCacheTimeout to 0 and set the different jaas ClientLoginModule options (especially multi-threaded to true), but It didn't solve the problem.
> Use the SecurityAssociation API is a work around possible (work in my case, but cannot use it), but it's an internal API (can change), right?
> Apparently, there is also an issue with JndiLoginInitialContextFactory (explain in the forum), but I don't know if it's related.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list