Re: Security bug with application clients? (More Info)

[Michael Jara]

Lachezar's second example is exactly what I tried, and I got the same results.   I started looking at the docs related to web clients, trying to figure out if there was something different between web-client security and application-client security.  (First, I need to mention that I know next to nothing about web cliens or servlets.)  The Orion security primer on jollem.com seems only to set up permissions per jsp, not actual ejb security.  Is this correct, or does anybody have actual ejb security working with web clients?  (If so, is this using orion's web server, or apache/tomcat?)   Additionally, I tried using the RoleManager...  First of all, you cannot get a role manager from a client.  It is only available inside EJBs.   No problem, I figured, I can have a "login" account, which will allow the user to connect to an "authentication" bean to do a "RoleManager.login".  Within the context of the "authentication" bean, this seemed to work.  However, on return of the function call, the principal reverted to the "login" account.  (I suppose you could pass username & password to every method call and "RoleManager.login" for each one... But what a hack that would be.)   Mike   ----- Original Message ----- From: Lachezar Dobrev To: Orion-Interest Sent: Wednesday, June 13, 2001 2:31 AM Subject: RE: Security bug with application clients? (More Info)    Hello.    Here I want to provide more information on the problem.    Just for clarification.      The problem is NOT the security itself. It works just fine.    The problem lies IMHO in caching or something.    It is also seen only in the RMI connection.      EXAMPLE: Consider following situation:     We have machine OrionA and OrionB, both running Orion.     Both have a deployed TestEjb.     TestEjb is:       TestEjbHome -> Home interface       TestEjbBean -> Bean class       TestEjb     -> Remote interface.         TestEjb.doTheJob() -> returns a String containing                               the name of the machine the                               bean was executed on                               (OrionA or OrionB)       We have a standalone client:       public class ResourceTest {       public static void main(String[] args){         Context     CTX;         Hashtable   CtxParams;         TestEjbHome TheHome;         TestEjb     TheBean;       // Connect to OrionA and execute the TestEjb bean.         CtxParams = new HashTable();         CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,            "com.evermind.server.rmi.RMIInitialContextFactory");         CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");         CtxParams.put (Context.SECURITY_CREDENTIALS, "123);              // Provider is the OrionA machine         CtxParams.put (Context.PROVIDER_URL, "ormi://OrionA/TestAPP");           CTX = new InitialContext (CtxParams);           TheHome = PortableRemoteObject.narrow(           CTX.lookup("TestEjb"), TestEjbHome.class );           TheBean = TheHome.create();         System.out.println( "First execution on: " + TheBean.doTheJob() );         // Conect to OrionB and execute the TestEjb bean.         CtxParams = new HashTable();         CtxParams.put (Context.INITIAL_CONTEXT_FACTORY,            "com.evermind.server.rmi.RMIInitialContextFactory");         CtxParams.put (Context.SECURITY_PRINCIPAL, "admin");         CtxParams.put (Context.SECURITY_CREDENTIALS, "123);              // Provider is the OrionB machine         CtxParams.put (Context.PROVIDER_URL, "ormi://OrionB/TestAPP");           CTX = new InitialContext (CtxParams);           TheHome = PortableRemoteObject.narrow(           CTX.lookup("TestEjb"), TestEjbHome.class );           TheBean = TheHome.create();         System.out.println( "Second execution on: " + TheBean.doTheJob() );         }     }      Running the above with the propper libraries should yeld:       First execution on: OrionA     Second execution on: OrionB      HOWEVER! The real sitch returns:       First execution on: OrionA     Second execution on: OrionA      Another test:     Modify the code, so that the bean returns the user name;     Modify the client, so that it connects to one and the same provider, but with different user_names.      Code should yeld:     First execution on: user1     Second execution on: user2      However it returns:     First execution on: user1     Second execution on: user1      In other words. Connecting once means, that till the end you are connected to the same provider with the same user/pass.    That's it.      Lachezar.