[jboss-user] [Security & JAAS/JBoss] - Problems with the Subject

[jhmjesus]

    It assumes this context:

1.One ejb jar with one X Stateless .
2.Another ejb jar with Y Stateless.
3.The Security Domain is the same for both.

   Well, the login was made for client with user A. At this moment was performed one method of the X Stateless. In the sequence client perform another method in Y Stateless. The Subject is OK.

   The client made the logout.

   Now the client made the login with user B perform the same method in X Stateless. After this it executed the same method in Y Stateless. At this moment the Subject is of user A.

   I'm using isValid(principal,credential,subject) SecurityAssociation method to retrieve the Subject. In my jboss-service.xml JAAS Security Manager configuration the attribute is DefaultCacheTimeout = 0 and DefaultCacheResolution = 0.

   What's the problem??? Why the user A Subject still exists in the EJB Container after the first logout.
      
   My environment:
      -OpenSuSE Linux version 10.0
      -JDK vesion 1.5.0_06
      -JBoss-AS version4.0.4.GA
      -EJB3 RC9FD+Patch.

   Thaks a lot.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4038361#4038361

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4038361