Hi Scott,
I don't know why the check of the thread security association was
added (ask Dan), but I think that your fix is correct
and should be committed ASAP.
Thanks,
Oleg
Scott M Stark wrote:
> In the "jaas - commit()" thread I mentioned dropping the current check
> for security credentials associated with the current thread and always using
> the method invocation security credentials:
> Principal principal = mi.getPrincipal();
> Object credential = mi.getCredential();
> if (principal == null || !securityManager.isValid( principal, credential ))
> {
> // should log illegal access
> throw new RemoteException("checkSecurityAssociation", new
>SecurityException("Authentication exception"));
> }
> else
> {
> SecurityAssociation.setPrincipal( principal );
> SecurityAssociation.setCredential( credential );
> }
> I have tested this for the current scenarios under which security is not being
> enforced correctly and this works. Can anyone comment on why the check of
> the thread security association was added?
