RE: Security bug with application clients? (More Info)

[Lachezar Dobrev]

   Hello.

   Here I want to provide more information on the problem.

   Just for clarification.

 

   The problem is NOT the security itself. It works just fine.

   The problem lies IMHO in caching or something.

   It is also seen only in the RMI connection.

 

   EXAMPLE: Consider following situation:

    We have machine OrionA and OrionB, both running Orion.

    Both have a deployed TestEjb.

    TestEjb is:

      TestEjbHome -> Home interface

      TestEjbBean -> Bean class

      TestEjb     -> Remote interface.

        TestEjb.doTheJob() -> returns a String containing

                              the name of the machine the

                              bean was executed on

                              (OrionA or OrionB)

 

    We have a standalone client:

 

    public class ResourceTest {

      public static void main(String[] args){

        Context     CTX;

        Hashtable   CtxParams;

        TestEjbHome TheHome;

        TestEjb     TheBean;

 

    // Connect to OrionA and execute the TestEjb bean.

        CtxParams = new HashTable();

        CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,

           "com.evermind.server.rmi.RMIInitialContextFactory");

        CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");

        CtxParams.put (Context.SECURITY_CREDENTIALS, "123);

 

           // Provider is the OrionA machine

        CtxParams.put (Context.PROVIDER_URL, "ormi://OrionA/TestAPP");

 

        CTX = new InitialContext (CtxParams);

 

        TheHome = PortableRemoteObject.narrow(

          CTX.lookup("TestEjb"), TestEjbHome.class );

 

        TheBean = TheHome.create();

        System.out.println( "First execution on: " + TheBean.doTheJob() );

 

 

    // Conect to OrionB and execute the TestEjb bean.

        CtxParams = new HashTable();

        CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,

           "com.evermind.server.rmi.RMIInitialContextFactory");

        CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");

        CtxParams.put (Context.SECURITY_CREDENTIALS, "123);

 

           // Provider is the OrionB machine

        CtxParams.put (Context.PROVIDER_URL, "ormi://OrionB/TestAPP");

 

        CTX = new InitialContext (CtxParams);

 

        TheHome = PortableRemoteObject.narrow(

          CTX.lookup("TestEjb"), TestEjbHome.class );

 

        TheBean = TheHome.create();

        System.out.println( "Second execution on: " + TheBean.doTheJob() );

 

      }

    }

 

   Running the above with the propper libraries should yeld:

 

    First execution on: OrionA

    Second execution on: OrionB

 

   HOWEVER! The real sitch returns:

 

    First execution on: OrionA

    Second execution on: OrionA

 

   Another test:

    Modify the code, so that the bean returns the user name;

    Modify the client, so that it connects to one and the same provider, but with different user_names.

 

   Code should yeld:

    First execution on: user1

    Second execution on: user2

 

   However it returns:

    First execution on: user1

    Second execution on: user1

 

   In other words. Connecting once means, that till the end you are connected to the same provider with the same user/pass.

   That's it.

 

   Lachezar.