[
https://jira.nuxeo.org/browse/NXP-5647?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bogdan Stefanescu updated NXP-5647:
-----------------------------------
Status: Open (was: Triage)
> Fix EJBContext.getCallerPrincipal on Jboss5
> -------------------------------------------
>
> Key: NXP-5647
> URL: https://jira.nuxeo.org/browse/NXP-5647
> Project: Nuxeo Enterprise Platform
> Issue Type: Sub-task
> Reporter: Bogdan Stefanescu
> Assignee: Bogdan Stefanescu
> Priority: Major
> Fix For: 5.4
>
>
> something in EJB context relating to caller principal changed in JBoss5. And
> I don't know if this is a bug or if this is the normal behavior JEE. Anyway
> the current nuxeo login logic doesn't work in JBoss5. I spent a lot of time
> debugging this - especially because of jaas cache ( I forgot about it :'( ) -
> thanks thierry for the hint.
> Here is what is happening:
> - the login procedure works ok. When loging in from the web (through the
> auth. filter) all is working ok.
> - Also the Framework.login works ok BUT when calling the getCallerPrincipal()
> on the EJBContext injected through @Resource annotation in
> DocumentManagerBean it returns the principal that originated the request
> (i.e. the caller) and not the authenticated principal.
> I will explain in details what happens:
> Lets say you make a Framework.login() (as a system user). The system
> principal is created by the runtime as a SystemID instance. Then the "system"
> login module chain is pushing this principal in a thread local variable used
> by JBOSS to get the current principal of a given thread.
> When you make the first call to DocumentManagerBean JBOSS is getting this
> principal and validate it using the nuxeo-ecm login module chain. This means
> the NuxeoLoginModule will be called to validate the principal - BUT the nuxeo
> login module is returning the real principal (a SystemPrincipal instance)
> after the validation.
> The JBoss4 EJBContext will return the validated principal (or let say
> authenticated principal) when you call EJBContext.getCallerPrincipal().
> The JBoss5 EJBContext will return the principal used as the input of the
> authentication and not the one returned by NuxeoLoginModule.
> In JBoss5 EJBContext we have a member named authenticatedSubject (which is
> the principal returned by out login module) and a getIndentities() (a set of
> principals) which contains the originating principal (i.e. the SystemID
> principal).
> When calling getCallerPrincipal() instead of returning the authenticated
> principal JBoss5 returns a principal from the indentities set.
> To fix this I will add a CallerPrincipalProvider that will be called to get
> the principal by the DocumentManagerBean when the principal retrieved from
> the EJBContext is not a NuxeoPrincipal.
> Then in nuxeo-platform-jboss-login I will add an implementation of a
> CallerPrincipalProvider that use JBoss API to get the real authenticated user.
> This instance can be configured through a system or runtime property as
> follows:
> org.nuxeo.ecm.core.api.CallerPrincipalProvider=org.nuxeo.platform.login.jboss.JBoss5CallerPrincipalProvider
>
> This problem is may be related to:
> https://jira.jboss.org/browse/EJBTHREE-1756
> http://community.jboss.org/wiki/UsingCustomPrincpalsWith
> http://community.jboss.org/message/531986#531986
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
