[jboss-user] [Security & JAAS/JBoss] - User credentials lost after remote EJB call

[annie1234]

Hi
I have a J2EE application that runs on JBoss 4.0.3. The application consists of a web front-end and a EJB 2.1 Stateless Session Bean to implement our business logic.
 
Users are authenticated by logging into the web interface. A JAAS LoginModule is used to create a security realm for our web tier (configured in our web.xml & jboss-web.xml files). When a business method is invoked on the SSB the users credentials are correctly propagated to the EJB container (the same security realm has been configured in our jboss.xml file).
 
At this stage declarative security (to apply role permissions to EJB methods in ejb-jar.xml) and programmatic security (to access users principal & role using the interface methods SessionContext.getCallerPrincipal().getName() & SessionContext.isCallerInRole("Admin") respectively) work correctly.
 
The problem arises when an EJB makes a remote call to another remote EJB on another host with a different username/password . After  successfully returning from this remote call our original SSB appears to have an incorrect SesssionContext.

The remote lookup and operation to the second EJB is done using the following function:

 void changeRemoteBlah(){   
     // At this point the SessionContext for the current user on the current local ejb is ok, and we can call local authorized methods
      Properties env = new Properties();
      env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
      env.setProperty(Context.SECURITY_PRINCIPAL, "remoteAdmin");
      env.setProperty(Context.SECURITY_CREDENTIALS, password);

      InitialContext ctx = new InitialContext(env);
      Object o =  ctx.lookup(jndiRemote);
      BlahManagerRemoteHome home = (BlahManagerRemoteHome) PortableRemoteObject.narrow(o, BlahManagerRemoteHome.class);
      BlahManagerRemote manager = home.create();
      manager.deployBlah();
 
      return;
 // after the return the SessionContext for the caller EJB is wrong, and we can no longer call our own (local) ejb methods that have authorization on them
}

Debug logs after the remote call, upon returning to the 1st EJB:

org.jboss.security.SecurityAssociation.getSubject,sc=org.jboss.security.SecurityAssociation$SubjectContext at 4db02a{principal=remoteAdmin,subject=null}
org.jboss.security.SecurityAssociation.getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 7cf002[Subject(27545610).principals=org.jboss.security.SimplePrincipal at 28801046(Admin)org.jboss.security.SimpleGroup at 2946678(Roles(members:Admin)),credential.class=java.lang.String at 5268497,expirationTime=1165984451664

The getPrincipal call shows the correct original user, however the getSubject call shows the user that was used for the remote call. Does anyone know why this is the case and how to fix it?

Alternatviely as a workaround solution we have considered storing a local copy of the Users details (SessionContext.getUserRole(), etc) in the method and somehow restore them after completing each remote call to the other ejb. Does anyone know how to to reset these details into the current SessionContext?

Thanks,
Annie

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3993239#3993239

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3993239