Re: Security bug with application clients?

[Michael Jara]

I think maybe I didn't make something clear.  I am using a java "application" client, NOT a web client.  As such, I cannot invalidate sessions, make posts, etc.   Orion seems to be written primarily as a web app server, and I have seen very little information on using it as a direct application server (in Orion literature or in the Oracle OC4J docs.)  Since very few people are using Orion in this way, I guess I should expect to see a few bugs here and there.  (I'm guessing that this is an application-client specific issue.)   Anyway, I could be wrong in beleiving that the problem is in stateless session beans...  As Lachezar pointed out, it might be in the InitialContext.   By the way, I saw this behavior in Orion 1.4.5 and in the latest release, 1.5.2.   Any suggestions are appreciated, Mike ----- Original Message ----- From: Jara, Michael To: Orion-Interest Sent: Monday, June 11, 2001 7:50 PM Subject: Security bug with application clients? Hi,   I'm trying to get the security portion of a project working, in which a java client connects to a stateless session bean after login.  As far as I can tell, Orion doesn't seem to properly pass around principal objects in stateless session beans.   This is the sequence that my test client runs:   1. Prompt user for user ID & password 2. Create an InitialContext containing the user ID and password (as "java.naming.security.principal" and "java.naming.security.credentials", respectively.) 3. Look up the stateless session bean's home 4. home.create() the stateless session bean   So far, so good.  The stateless session bean correctly identifies the user ID within its session context's principal.  Now I clean things up and repeat the process:   5. remove() the stateless session bean 6. close() the InitialContext (just in case... I even went so far as to remove all of its environment properties.) 7. Log on again: prompt for a different user ID & password 8. Create a new initial context as in step 2. 9. Look up the stateless session bean's home 10. home.create() the stateless session bean   This is where things go wrong.  I get the principal out of the stateless session bean's session context, which indicates that I'm logged in as the first user!  The problem is that the bean is never calling "setSessionContext" on the second creation.  If I re-start the client however, it works correctly.   The only way I can think of to get around this is to use a stateful session bean instead...  I don't like that, because I don't need to maintain state!  Has anyone else encountered this problem?  Found a solution?   Thanks, Mike