[
https://issues.apache.org/jira/browse/GERONIMO-4119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12605656#action_12605656
]
David Jencks commented on GERONIMO-4119:
----------------------------------------
This is caused by the geronimo-openejb ThreadContextListener not tracking the
ContextID from the caller nor resetting it on exit. what's going on is:
1. request to servlet starts, has resource/data permissions checked.
2. initial request then creates servlet. This results in evaluating injections
and looking up the injected ejb
3. entering openejb code to create the ejb sets the contextID to the ejb apps
ContextID
4. ejb stuff initialized
5 (missing) web app ContextID should be reset on exit
6. Now that servlet is created, the service methods are called
7. The web role ref permission is checked against the current ContextID which
is for the ejb app -- so it fails.
After the first request, the servlet has already been created so the role-ref
is checked against the correct contextID. However if you checked the role-ref
AFTER calling the ejb you'd run into the same problem.
> request.isUserInRole("some-role") always return false after @EJB injection
> --------------------------------------------------------------------------
>
> Key: GERONIMO-4119
> URL: https://issues.apache.org/jira/browse/GERONIMO-4119
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB, Tomcat, web
> Affects Versions: 2.0.2
> Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14
> Reporter: Stig Even Larsen
> Priority: Blocker
>
> Se mailing list discussion:
> http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html
> To recreate the malfunction you need to do the following:
> 1.Create an EAR with a local session bean and a war
> 2. Use the default console security realm (geronimo-admin) for protecting the
> {context-path}/protected/* area
> Create a new group named "partnergroup" and add the "system" user to it. Map
> the "partnergroup" to the partners role in deployment descriptor
> (geronimo-web.xml)
> 3. Create a simple but form protected(j_security_check) *jsp* page ex:
> {context-path}/protected/test.jsp.
> {code:title=/protected/test.jsp|borderStyle=solid}
> <[EMAIL PROTECTED] contentType="text/html" pageEncoding="UTF-8"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd";>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>JSP Test</title>
> </head>
> <body>
> <h2>Role test</h2>
> <%if(request.isUserInRole("partners")){%>
> user is partner :)
> <%}else{%>
> user is NOT partner :(
> <%}%>
> </body>
> </html>
> {code}
> 4. Create s simple Session Bean (EJB) with a simple local method:
> {code:title=TimeUtilsBean.java|borderStyle=solid}
> @Stateless
> public class TimeUtilsBean implements TimeUtilsLocal {
> public String getString() {
> return "Hello from Stateless EJB!";
> }
>
> }
> {code}
> 5. Create a simple but form protected(j_security_check) *Servlet* that uses
> the local EJB (ex: {context-path}/protected/info)
> {code:title=/protected/Info.java|borderStyle=solid}
> import java.io.*;
> import java.net.*;
> import javax.ejb.EJB;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import javax.naming.*;
> import javax.annotation.security.*;
> import no.nimra.geronimo.test.TimeUtilsLocal;
> import no.nimra.nis.admin.ejb.*;
> @DeclareRoles({"administrators", "partners", "users"})
> public class Info extends HttpServlet {
> @EJB
> private TimeUtilsLocal timeUtilsBean;
>
>
> protected void processRequest(HttpServletRequest request,
> HttpServletResponse response)
> throws ServletException, IOException {
> response.setContentType("text/html;charset=UTF-8");
> PrintWriter out = response.getWriter();
> out.println("SessionID: " + request.getRequestedSessionId());
> System.out.println("Principal: " +
> request.getUserPrincipal().getName());
> if (request.isUserInRole("partners")) {
> System.out.println("User has partners-role...");
> out.println("User has partners-role...");
> } else {
> System.out.println("User has NOT partners-role...");
> out.println("User has NOT partners-role...");
> }
> try {
> out.println("<html>");
> out.println("<head>");
> out.println("<title>Servlet Info</title>");
> out.println("</head>");
> out.println("<body>");
> out.println("<h1> " + request.getContextPath() + "</h1>");
> if (request.getUserPrincipal() != null) {
> out.println("Principal: " +
> request.getUserPrincipal().getName());
> }
> out.println(timeUtilsBean.getString());
> out.println("</body>");
> out.println("</html>");
> } finally {
> out.close();
> }
> }
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException {
> processRequest(request, response);
> }
> protected void doPost(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException {
> processRequest(request, response);
> }
> }
> {code}
> Description:
> Access http://{context-path}/protected/test.jsp. After successfull login you
> will se that your login has "partners" role. As expected.
> If you access the servlet at http://{context-path}/protected/info you will
> notice that you do not have the "partners" role.
> If you remove the @EJB injection it behaves as expected.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
