[jboss-user] [Security & JAAS/JBoss] - Strange: access rights lost

Annegret do-not-reply at jboss.com
Mon Sep 18 10:22:22 EDT 2006


Hi,

I've a very strange phenomenia which does not occur every time but often enough so I have to try to find a solution.

JBoss 4.0.4GA, JDK 1.5.0_05, Windows XP

I've configured a JAAS login which is running fine over a long time in our application. Now in a newer version of our application we added funtionality and strange things happen.
Our application is based on applets, each applet calls a stateful sessionbean which is secured. Before starting the first applet for editing data the user has to login over a LoginApplet which executes a JAAS login process.
Now suddenly when the user changes from one applet to a different applet the username and access rights are no longer available. On starting a new applet the JAAS login process is executed (transparently for the user) and I can see in the logfile that the username is now "anonymus". I've added the anonymus for unauthenticated access because we have one SessionBean for which we need unauthenticated access. But here it's still the logged-in user who is calling the sessionbean and gets now exceptions because of missing access rigths.

It seems that something is throwing out the current user.
We have running an MBean server that calls login / logout with the same username but this is working already for a long time and didn't cause any trouble.

We added a new EJB3 MBean that calls login and logout, may this cause the problems ?

We added funtionality that exchanges data with a different application: On JBoss startup the EJB3 Bean creates an instances of a class and registers this class for callbacks on the other application. When a special trigger occurs the other application calles the callback method. In this method a login / logout will be done.
This is the only thing I can imagine that may cause trouble, I don't know which thread is calling login / logout.
Otherwise I'm not sure, but the problem seems to occur without the callback.

I tried to change the log4j config to see which thread is calling which functions, but I didn't succeed in reproducing the error. I will try to get more information.

Scott, any other guy, do you have any idea what may throw out a current user ?
Any idea what I can try ?

One idea from me is to do not call login / logout in the callback function directly but get a reference to the EJB3 MBean over JNDI and let call login / logout in this context. Do you think this would change anything ?

Any idea would be appreciated

Annegret






View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3972326#3972326

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3972326



More information about the jboss-user mailing list