My application is a servlet/jsp frontend running on Apache-ajp-Tomcat 4.03 connecting to an EJB layer on WebLogic 6.1
My problem is that requests from different users with different http sessions connecting to different EJB's are handled by the same ajp worker thread. This causes WebLogic to perceive requests as originating from the user who made the last JNDI context. Example AJP/TOMCAT user 1 creating WebLogic stateful EJB bean1 AJP/TOMCAT user 2 creating WebLogic stateful EJB bean2 AJP/TOMCAT user 1 calling bean1.myMethod() WEBLOGIC bean1 security checked against user2 ACL and bean1.myMethod() executed as user2 !!!! I have reported the incident to WebLogic support who advises me to "to modify the thread policy, so that Tomcat creates separate thread for each request" I know this would affect performance, which of course is important to me. But security of my application is even more important. Is there any way to modify the ajp thread policy in tomcat 4.03? Regards/peter -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
