OK I'm still not sure we are talking on the same page so please bear with me whilst I attempt to restate what is happening.
Tomcat 4.1.18 running in JDK 1.4 JBoss 3.0.3 running in JDK 1.3 Tomcat is running standalone in a seperate JVM to JBoss. Both Tomcat and JBoss are running on the same machine (although this configuration means that they could be running on seperate machines). Tomcat is running the JAAS login module and running a web application that is making standard RMI calls to EJB's that are running on the JBoss server. The way that JBoss (and other JAAS enabled servers) determine who is calling them is by looking at the JAAS Subject associated with the calling thread. If Tomcat is using a pool of threads to service requests from web clients then it stands to reason that at some point in the invocation of the JSP code that there needs to be an association made between the thread that is performing the work and the JAAS subject which tells JBoss who is calling the EJB. This is a direct parallel to the code in AuthenticatorBase that gets the Principal out of the user's session and sets the request up so that calls to getUserPrincipal() return the correct value. I have modified the realm so that it caches the JAAS security credentials when a log in is performed and indexes it by the user name. When a request comes in the valve I have written looks up the principal from the user's session, gets the name, looks up the cached subject then makes a Subject.doAs() call that calls the invoke method on the valve context so the rest of the pipeline is executed with the right JAAS security association. All of this seems to be working in the debugger correctly. The problem is that the JAAS security association that I am doing seems to be with the wrong thread or something because by the time JBoss sees it the subject is the one of the user who most recently logged in. I'm going to have to dig deeper into the Tomcat internals to figure this out but some pointers on how JSP code is invoked in Tomcat would be extremely helpful. Sorry to labour the point but I really think that if this is an issue with the way that Tomcat associates user sessions with JAAS credentials then someone will have to solve this problem before Tomcat 5 ships and since we have the problem it might as well be me. All I need is some suggestions about where the best place to put the code would be. On Mon, 2003-02-10 at 16:31, Craig R. McClanahan wrote: > On Sun, 10 Feb 2003, Peter Kelley wrote: > > > Date: 10 Feb 2003 16:12:36 +1100 > > From: Peter Kelley <[EMAIL PROTECTED]> > > To: Tomcat Users List <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > Subject: Re: Valve Access to Principal > > > > I think you misunderstand my question, I want to run Tomcat standalone. > > The problem I have is that the JAAS credentials don't seem to be being > > associated with the thread that is running my JSP. The fact that JBoss > > is on the other end is probably irrelevant, the same problem would occur > > no matter what was being called. > > > > No, it is *absolutely* relevant, because your complaint is that *JBoss*, > not Tomcat, is not seeing the Principal you think it should. > > > I'm happy to help and contribute whatever code gets written but I need > > to know where would be the best place to do the security association. > > Putting the association in a valve doesn't seem to be working, somehow > > the association is being broken by the time the JSP code is called. Can > > you provide any guidance on where the best place to do the security > > association might be ? > > > > Show me a scenario that fails in standalone Tomcat and we can talk. If > the problem shows up only in Tomcat+JBoss, go talk to whoever built that > integration. > > Craig > -- Peter Kelley <[EMAIL PROTECTED]> Moveit Pty Ltd --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]