Lachezar's second example is exactly what I tried, and I got the same results.
 
I started looking at the docs related to web clients, trying to figure out if there was something different between web-client security and application-client security.  (First, I need to mention that I know next to nothing about web cliens or servlets.)  The Orion security primer on jollem.com seems only to set up permissions per jsp, not actual ejb security.  Is this correct, or does anybody have actual ejb security working with web clients?  (If so, is this using orion's web server, or apache/tomcat?)
 
Additionally, I tried using the RoleManager...  First of all, you cannot get a role manager from a client.  It is only available inside EJBs.   No problem, I figured, I can have a "login" account, which will allow the user to connect to an "authentication" bean to do a "RoleManager.login".  Within the context of the "authentication" bean, this seemed to work.  However, on return of the function call, the principal reverted to the "login" account.  (I suppose you could pass username & password to every method call and "RoleManager.login" for each one... But what a hack that would be.)
 
Mike
 
----- Original Message -----
Sent: Wednesday, June 13, 2001 2:31 AM
Subject: RE: Security bug with application clients? (More Info)

   Hello.
   Here I want to provide more information on the problem.
   Just for clarification.
 
   The problem is NOT the security itself. It works just fine.
   The problem lies IMHO in caching or something.
   It is also seen only in the RMI connection.
 
   EXAMPLE: Consider following situation:
    We have machine OrionA and OrionB, both running Orion.
    Both have a deployed TestEjb.
    TestEjb is:
      TestEjbHome -> Home interface
      TestEjbBean -> Bean class
      TestEjb     -> Remote interface.
        TestEjb.doTheJob() -> returns a String containing
                              the name of the machine the
                              bean was executed on
                              (OrionA or OrionB)
 
    We have a standalone client:
 
    public class ResourceTest {
      public static void main(String[] args){
        Context     CTX;
        Hashtable   CtxParams;
        TestEjbHome TheHome;
        TestEjb     TheBean;
 
    // Connect to OrionA and execute the TestEjb bean.
        CtxParams = new HashTable();
        CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,
           "com.evermind.server.rmi.RMIInitialContextFactory");
        CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");
        CtxParams.put (Context.SECURITY_CREDENTIALS, "123);
 
           // Provider is the OrionA machine
        CtxParams.put (Context.PROVIDER_URL, "ormi://OrionA/TestAPP"
);
 
        CTX = new InitialContext (CtxParams);
 
        TheHome = PortableRemoteObject.narrow(
          CTX.lookup("TestEjb"), TestEjbHome.class );
 
        TheBean = TheHome.create();
        System.out.println( "First execution on: " + TheBean.doTheJob() );
 
 
    // Conect to OrionB and execute the TestEjb bean.
        CtxParams = new HashTable();
        CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,
           "com.evermind.server.rmi.RMIInitialContextFactory");
        CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");
        CtxParams.put (Context.SECURITY_CREDENTIALS, "123);
 
           // Provider is the OrionB machine
        CtxParams.put (Context.PROVIDER_URL, "ormi://OrionB/TestAPP");
 
        CTX = new InitialContext (CtxParams);
 
        TheHome = PortableRemoteObject.narrow(
          CTX.lookup("TestEjb"), TestEjbHome.class );
 
        TheBean = TheHome.create();
        System.out.println( "Second execution on: " + TheBean.doTheJob() );
 
      }
    }
 
   Running the above with the propper libraries should yeld:
 
    First execution on: OrionA
    Second execution on: OrionB
 
   HOWEVER! The real sitch returns:
 
    First execution on: OrionA
    Second execution on: OrionA
 
   Another test:
    Modify the code, so that the bean returns the user name;
    Modify the client, so that it connects to one and the same provider, but with different user_names.
 
   Code should yeld:
    First execution on: user1
    Second execution on: user2
 
   However it returns:
    First execution on: user1
    Second execution on: user1
 
   In other words. Connecting once means, that till the end you are connected to the same provider with the same user/pass.
   That's it.
 
   Lachezar.

Reply via email to