Cor,
Now the situation becomes clear to me: you use *client* login module
to provide your custom Principal implementation.
I would agree with Scott, there is a security hole in JBossSX.
I use *server* login module for that, it works fine for me and
IMHO doesn't make a security hole.
Can't you do so in your case?
Oleg
Cor Hofman wrote:
> Oleg,
> A new insight:
> The session bean is called from within a jsp servlet.
> The servlet environment has been started up with the option:
> -Djava.security.auth.login.config=H:/JBoss/jboss-2.1_PRE/client/auth.conf
> Contents of auth.conf is:
> Companion
> {
> org.companion.security.ClientLoginModule required multi-threaded="true";
> };
> The login client I am using in that environment issues:
> LoginContext lc = new LoginContext("Companion", handler);
> My own org.companion.security.ClientLoginModule performs:
> SecurityAssociation.setPrincipal(new CompanionPrincipal(orgpin,
> username));
> introducing my home made Principal!
> Next I call create the session bean, which correctly gets the
> CompanionPrincipal
> returned at getCallerPrinciple().
> Then the session bean calls the finder method on the home interface
> of the entity bean. Now the session bean is actually a client of the
> entity bean. Hence could it be that another clientLogin is
> used in order to arrange for any needed security checks?
> If so then I am suspecting that this clientLogin is a different one
> then the one I wrote. It is probably using the standard one, introducing the
> SimplePrincipal
> instance, which is then passed on to the entity bean.
> If so, how can I arrange that the correct clientLogin module is used
> at this point?
> Regards,
> Cor.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Oleg Nitz
> Sent: Tuesday, February 27, 2001 12:14
> To: JBoss-User
> Subject: Re: [jBoss-User] Problems with Principal class propagation
> Cor,
> I still can't reproduce the bug. I called both ejFindCollection and
> ejbFindByPrimaryKey from Session bean, getCallerPrincipal() works
> correctly inside them.
> I am afraid your next step is providing a testcase that shows the bug.
> Or a new insight :-)
> Regards,
> Oleg
> Cor Hofman wrote:
>> Oleg,
>> I am calling getCallerPrincipal() from within a method defined
>> in the home interface. To be precise I call it from within
>> an ejbFindxxx() method. Not the ejbFindByPrimaryKey() though,
>> but an additional one returning a Collection.
>> Regards,
>> Cor.
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Oleg Nitz
>> Sent: Tuesday, February 27, 2001 00:35
>> To: JBoss-User
>> Cc: [EMAIL PROTECTED]
>> Subject: Re: [jBoss-User] Problems with Principal class propagation
>> Hi Cor,
>> I guess you are absolutely right, this is the difference between your
>> case and my case: I don't use home methods of EntityBeans.
>> I'll try to fix this tomorrow.
>> Do I understand correctly that you call getCallerPrincipal() in
>> ejbHomeXXX method, or is it some other home method (which one)?
>> Thanks for your insight,
>> Oleg
>> On Monday 26 February 2001 12:47, Cor Hofman wrote:
>>> Oleg, Scott,
>>>
>>> What crossed my mind:
>>> Could it have something to do with calling a method
>>> on the home interface. Since that is a difference
>>> between the Session bean and the entity bean.
>>> the getCallerPrincipal() for the session bean is
>>> called from within an "created" session bean.
>>> The entity getCallerPrincipal() is performed within
>>> one of the home methods of this entity bean.
>>>
>>> Regards,
>>>
>>> Cor.
>>>
>>> -----Original Message-----
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED]]On Behalf Of Oleg Nitz
>>> Sent: Sunday, February 25, 2001 00:29
>>> To: JBoss-User
>>> Subject: Re: [jBoss-User] Problems with Principal class propagation
>>>
>>>
>>> Hi Cor,
>>>
>>> IMHO, looks like a bug, should work as you expect.
>>> Strange. I have the similar situation: my owm Principal
>>> implementation, my own server login module, session bean calls
>>> entity bean, and in the entity bean getCallerPrincipal() returns my
>>> implementation.
>>> Could you try the current CVS version?
>>>
>>> Regards,
>>> Oleg
>>>
>>> On Saturday 24 February 2001 09:18, Cor Hofman wrote:
>>> > Hi,
>>> >
>>> > I implemented my own Principal class to add some extra
>>> > authorization methods.
>>> >
>>> > When I perform a the login and call a session bean everything
>>> > looks fine. The getCallerPrincipal() inside a sessionbean returns
>>> > my own Principal. This session bean then calls an entity bean.
>>> > When the entity bean call getCallerPrinciple() it returns an
>>> > original SimplePrincipal instance. I would expect the entity bean
>>> > to return my own Principal as well. Why isn't that happening? I
>>> > expected the new Principal class to be propagated automatically.
>>> >
>>> > I use a PRE2.1 build from the beginning of january.
>>> >
>>> > For both the session bean and the entity bean I added the famous
>>> > two lines:
>>> >
>>> >
>>> > <role-mapping-manager>java:/jaas/companion</role-mapping-manager>
>>> >
>>> > <authentication-module>java:/jaas/companion</authentication-modul
>>> >e>
>>> >
>>> > to the container types I use for the session and the entity bean
>>> > (in standardJboss.xml).
>>> >
>>> > I also modified the auth.conf to contain a companion section.
>>> >
>>> > companion {
>>> > org.companion.security.ServerLoginModule required;
>>> > };
>>> >
>>> > Furthermore I added this to the client auth.conf
>>> >
>>> > companion
>>> > {
>>> > org.companion.security.ClientLoginModule required
>>> > multi-threaded="true"; };
>>> >
>>> > Any suggestion or hint on how to tackle this one are ver much
>>> > appreciated.
>>> >
>>> > Greetings,
>>> >
>>> > Cor Hofman
>>> >
>>> >
>>> >
>>> > --
>>> > --------------------------------------------------------------
>>> > To subscribe: [EMAIL PROTECTED]
>>> > To unsubscribe: [EMAIL PROTECTED]
>>> > List Help?: [EMAIL PROTECTED]
>>>
>>> --
>>> --------------------------------------------------------------
>>> To subscribe: [EMAIL PROTECTED]
>>> To unsubscribe: [EMAIL PROTECTED]
>>> List Help?: [EMAIL PROTECTED]
>>>
>>>
>>>
>>>
>>> --
>>> --------------------------------------------------------------
>>> To subscribe: [EMAIL PROTECTED]
>>> To unsubscribe: [EMAIL PROTECTED]
>>> List Help?: [EMAIL PROTECTED]
>> --
>> --------------------------------------------------------------
>> To subscribe: [EMAIL PROTECTED]
>> To unsubscribe: [EMAIL PROTECTED]
>> List Help?: [EMAIL PROTECTED]
>> --
>> --------------------------------------------------------------
>> To subscribe: [EMAIL PROTECTED]
>> To unsubscribe: [EMAIL PROTECTED]
>> List Help?: [EMAIL PROTECTED]
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> List Help?: [EMAIL PROTECTED]
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> List Help?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
