Fix EJBContext.getCallerPrincipal on Jboss5
-------------------------------------------
Key: NXP-5647
URL: https://jira.nuxeo.org/browse/NXP-5647
Project: Nuxeo Enterprise Platform
Issue Type: Sub-task
Reporter: Bogdan Stefanescu
Assignee: Bogdan Stefanescu
Priority: Major
Fix For: 5.4
something in EJB context relating to caller principal changed in JBoss5. And I
don't know if this is a bug or if this is the normal behavior JEE. Anyway the
current nuxeo login logic doesn't work in JBoss5. I spent a lot of time
debugging this - especially because of jaas cache ( I forgot about it :'( ) -
thanks thierry for the hint.
Here is what is happening:
- the login procedure works ok. When loging in from the web (through the auth.
filter) all is working ok.
- Also the Framework.login works ok BUT when calling the getCallerPrincipal()
on the EJBContext injected through @Resource annotation in DocumentManagerBean
it returns the principal that originated the request (i.e. the caller) and not
the authenticated principal.
I will explain in details what happens:
Lets say you make a Framework.login() (as a system user). The system principal
is created by the runtime as a SystemID instance. Then the "system" login
module chain is pushing this principal in a thread local variable used by JBOSS
to get the current principal of a given thread.
When you make the first call to DocumentManagerBean JBOSS is getting this
principal and validate it using the nuxeo-ecm login module chain. This means
the NuxeoLoginModule will be called to validate the principal - BUT the nuxeo
login module is returning the real principal (a SystemPrincipal instance) after
the validation.
The JBoss4 EJBContext will return the validated principal (or let say
authenticated principal) when you call EJBContext.getCallerPrincipal().
The JBoss5 EJBContext will return the principal used as the input of the
authentication and not the one returned by NuxeoLoginModule.
In JBoss5 EJBContext we have a member named authenticatedSubject (which is the
principal returned by out login module) and a getIndentities() (a set of
principals) which contains the originating principal (i.e. the SystemID
principal).
When calling getCallerPrincipal() instead of returning the authenticated
principal JBoss5 returns a principal from the indentities set.
To fix this I will add a CallerPrincipalProvider that will be called to get the
principal by the DocumentManagerBean when the principal retrieved from the
EJBContext is not a NuxeoPrincipal.
Then in nuxeo-platform-jboss-login I will add an implementation of a
CallerPrincipalProvider that use JBoss API to get the real authenticated user.
This instance can be configured through a system or runtime property as follows:
org.nuxeo.ecm.core.api.CallerPrincipalProvider=org.nuxeo.platform.login.jboss.JBoss5CallerPrincipalProvider
This problem is may be related to:
https://jira.jboss.org/browse/EJBTHREE-1756
http://community.jboss.org/wiki/UsingCustomPrincpalsWith
http://community.jboss.org/message/531986#531986
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
