There is a problem with the use of ThreadLocals to record Authentication when the client (in this case Jetty) is using ThreadPools.
I have previously mentioned this, but now I have confirmation that it is a problem for a Client. He created a small thread pool for the listener (4 threads), then used 4 browsers to hit authenticated pages and authenticated with a different user for each browser. The effect of this was for the JBoss authentication mechanism to create ThreadLocal authentications for each of these threads. He then got new browsers and started hitting unauthenticated pages that reported the request and EJB auth details. These new requests receive random EJB authentication depending on which thread from the thread pool they are allocated: >>23:33:25,434 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=comercial >>23:33:25,464 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=comercial >>23:33:38,333 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=cliente >>23:33:38,373 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=cliente >>23:34:46,341 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=cliente >>23:34:46,371 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=cliente >>23:34:57,186 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=admin >>23:34:57,236 INFO [Default] request.getUserPrincipal=null; >>ctx.getCallerPrincipal().getName()=admin We need a mechanism to unauthenticate Threads, so the Jetty can call this after each request. Note that it is not an option to get rid of the ThreadPool as that would be a HUGE performance hit. regards -- Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462 Mort Bay Consulting Australia and UK. Mbl Phone: +61-(0)4 17786631 http://www.mortbay.com AU Phone: +61-(0)2 98107029 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development