[jboss-user] [Security & JAAS/JBoss] - getCallerPrincipal returns incorrect principal

[ic.canb]

In our web application when a user logs on we using their credentials to lookup and call session beans in the apps server.

To do this we holding their user name and password in session state and when we need to get a service we use these credentials to create an InitialContext and then lookup the service. This is where the first problem can happen some times we get the service with the wrong credentials, this is caused by user and password being held in static variables. We can stop this by setting the SecurityAssociation to server mode(uses thread locals to hold user and pass) by call SecurityAssociation.setServer();. Is this the correct way to do this or should we be doing something different.

The second problem, when we have a statefull service we keep the handle in session state for use the next time we need to call the service, this statefull service is holding some user data in the server. The problem is that some times when we make a call to the service the getCallerPrincipal() returns the wrong callerPrincipal however the service that has been called is the correct service. The callerPrincipal is the one from the last lookup on the thread(in server mode) and sometimes can be null if a new thread was used.


JBoss 4.2.2.GA
Tomcat 6.0.13
sun JVM 1.6.0_10


Thanks,

Ian.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196439#4196439

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196439