[jboss-user] [Security & JAAS/JBoss] - SecurityAssociation: javax.security.auth.Subject dissapears

wgiersche do-not-reply at jboss.com
Wed Aug 12 10:13:23 EDT 2009

I'm working in large, international banking project in Switzerland. In an Eclipse RCP 3.4 client, some of the remote method calls fail with "Caller unauthorized". We're using ClientLoginModule and JAAS Logon. Everything used to work with JBoss AS 4.2.2.GA. Now, with the client libraries of Jboss AS 5.1, some method calls will not be accepted by the server, for the SecurityContext of the RMI seems to be incomplete.
We could trace the problem down to the SecurityAssociation class. In a debug session we could show that immediately before a successful method call, SecurityAssociation.getSubject() would return the expected Subject. Magically, before other calls to remote methods it would return null. Interestingly, getPrincipal() and getCredential() both return the expected values, still. Method calls fail if and only if getSubject() returns null. We believe that there is a flaw in the way the SubjectThreadLocal is used. The problem is only reproducible in the full RCP application, thus we assume that the problem is that not all Threads are correctly equipped with a consistent SubjectStack. Can anybody help us out? You must have heard this before, don't you?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4249230#4249230

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4249230

More information about the jboss-user mailing list