[jboss-jira] [JBoss JIRA] Created: (JBAS-5995) Jaas multiple login failure (ClientLoginModule)

Thomas Gueze (JIRA) jira-events at lists.jboss.org
Thu Sep 25 09:37:21 EDT 2008 

Jaas multiple login failure (ClientLoginModule)
-----------------------------------------------

                 Key: JBAS-5995
                 URL: https://jira.jboss.org/jira/browse/JBAS-5995
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-5.0.0.CR2
            Reporter: Thomas Gueze
            Assignee: Anil Saldhana


As explained in the forum :

I have an ear deployed on Jboss 5 CR2.
J perform Jaas authentification with a Jaas login module on client side and use the ClientLoginModule to propagate the user on the server side (so specified in the jaas config file).
On the bean, I retrieve the caller principal name with a lookup on the EJBContext :

final Object o = new InitialContext().lookup("java:comp/EJBContext");
final Class< ? > ejbContextClass = Class.forName("javax.ejb.EJBContext");
final Method getCallerPrincipalMethod = ejbContextClass.getMethod("getCallerPrincipal");
final Principal principal = (Principal) getCallerPrincipalMethod.invoke(o);
final String callerId = principal.getName();

The case is :
A user log in, perform some operations on the bean (He's also the first bean caller), the callerId corresponding.
Then this user log out and another user log in successfully (the login modules committed).
He perform operations on the bean, and the callerId correspond to the precedent user.

I've tried to set the DefaultCacheTimeout to 0 and set the different jaas ClientLoginModule options (especially multi-threaded to true), but It didn't solve the problem.

Use the SecurityAssociation API is a work around possible (work in my case, but cannot use it), but it's an internal API (can change), right?

Apparently, there is also an issue with JndiLoginInitialContextFactory (explain in the forum), but I don't know if it's related.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list