[jboss-user] [Security & JAAS/JBoss] - JAAS multi-threaded=true causing SecurityException principal
sdegenaar
do-not-reply at jboss.com
Thu Aug 10 05:30:12 EDT 2006
We have setup a seperate tomcat installation (tried with both 5.5.9 and the latest 5.5.17) talking to jboss 4.0.2 (also tried 4.0.4). We are using JAAS authentication with a custom login module authenticating against Active Directory. We are chaining authentication using the org.jboss.security.ClientLoginModule required attribute in the tomcat login.conf. We also have the attributes set for password-stacking = "useFirstPass"; This all works perfect if we use multi-threaded=false. Pretty much single user access. If we set this to true we have very intermident results. Sometimes it works fine, then you will get SecurityExcpetion: Insufficient method permissions, principal=null. Refresh a few times and it seems to find the principal again. I have seemed to reproduce it failing everytime by calling a secured session bean method from a jsp page multiple times and doing a refresh halfway through. This will always cause it to get the Security exception. Hit the refresh a few more times and it seems to find it again. Very strange behaviour. This is possibly happening in our production system as we are using struts. Possibly it is failing a similar way in that it is calling an action and then redirecting...... I have tried many things but am lost for ideas. Has anyone seen anything like this or have any ideas...
Much appreciated,
cheers!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964294#3964294
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964294
More information about the jboss-user
mailing list