Hi
I have a J2EE application that runs on JBoss 4.0.3. The application consists of
a web front-end and a EJB 2.1 Stateless Session Bean to implement our business
logic.
Users are authenticated by logging into the web interface. A JAAS LoginModule
is used to create a security realm for our web tier (configured in our web.xml
& jboss-web.xml files). When a business method is invoked on the SSB the users
credentials are correctly propagated to the EJB container (the same security
realm has been configured in our jboss.xml file).
At this stage declarative security (to apply role permissions to EJB methods in
ejb-jar.xml) and programmatic security (to access users principal & role using
the interface methods SessionContext.getCallerPrincipal().getName() &
SessionContext.isCallerInRole("Admin") respectively) work correctly.
The problem arises when an EJB makes a remote call to another remote EJB on
another host with a different username/password . After successfully returning
from this remote call our original SSB appears to have an incorrect
SesssionContext.
The remote lookup and operation to the second EJB is done using the following
function:
void changeRemoteBlah(){
// At this point the SessionContext for the current user on the current
local ejb is ok, and we can call local authorized methods
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"org.jboss.security.jndi.JndiLoginInitialContextFactory");
env.setProperty(Context.SECURITY_PRINCIPAL, "remoteAdmin");
env.setProperty(Context.SECURITY_CREDENTIALS, password);
InitialContext ctx = new InitialContext(env);
Object o = ctx.lookup(jndiRemote);
BlahManagerRemoteHome home = (BlahManagerRemoteHome)
PortableRemoteObject.narrow(o, BlahManagerRemoteHome.class);
BlahManagerRemote manager = home.create();
manager.deployBlah();
return;
// after the return the SessionContext for the caller EJB is wrong, and we can
no longer call our own (local) ejb methods that have authorization on them
}
Debug logs after the remote call, upon returning to the 1st EJB:
org.jboss.security.SecurityAssociation.getSubject,[EMAIL
PROTECTED],subject=null}
org.jboss.security.SecurityAssociation.getPrincipal, cache info: [EMAIL
PROTECTED](27545610)[EMAIL PROTECTED](Admin)[EMAIL
PROTECTED](Roles(members:Admin)),[EMAIL PROTECTED],expirationTime=1165984451664
The getPrincipal call shows the correct original user, however the getSubject
call shows the user that was used for the remote call. Does anyone know why
this is the case and how to fix it?
Alternatviely as a workaround solution we have considered storing a local copy
of the Users details (SessionContext.getUserRole(), etc) in the method and
somehow restore them after completing each remote call to the other ejb. Does
anyone know how to to reset these details into the current SessionContext?
Thanks,
Annie
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3993239#3993239
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3993239
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
