[jboss-user] [Security & JAAS/JBoss] - Re: Authentification problems in Jboss 5

karltraunmueller do-not-reply at jboss.com
Wed Apr 8 01:54:17 EDT 2009

Hi all,

we have also experienced these problems - the Principal associated with Stateless session beans seemed to be randomly wrong.

I think the problem is in org.jboss.ejb3.EJBContextImpl.getCallerPrincipal:
  | public Principal getCallerPrincipal()
  |    {
  |       if(beanPrincipal == null)
  |       {
  |          EJBContainer ec = (EJBContainer) container;
  |          SecurityDomain domain = ec.getAnnotation(SecurityDomain.class);
  |          Principal callerPrincipal = ejbContextHelper.getCallerPrincipal(
  |                SecurityActions.getSecurityContext(), 
  |                rm, domain); 
  |          // This method never returns null.
  |          if (callerPrincipal == null)
  |             throw new java.lang.IllegalStateException("No valid security          
  |                   context for the caller identity");
  |          beanPrincipal = callerPrincipal;
  |       }      
  |       return beanPrincipal;
  |    }

The beanPrincipal associated with the SLSB is lazy initialized, but never reset thereafter. 

So, once the SLSB goes back into the pool (after a first invocation), and is later reused for another invocation, the prinicipal isn't correctly reassociated with the current principal - the principal from the first call is still there.

The problem is still present in JBoss 5.0.0.GA, JBAS-5995 is still open.

Can anyone comment on this?


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4224231#4224231

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4224231

More information about the jboss-user mailing list