A web app (built with Spring & GWT) we're building is currently having issues with security and EJBs. Some calls made by the app to EJBs are throwing "Unauthorized Access by Principal Denied" exceptions. Investigating this it seems that whenever a new thread in geronimo is started to service the call the auth credentials aren't being copied. For example, ContextManager.login is called in thread "http-0.0.0.0-8443-1", and subsequent EJB calls work correctly. Some time later a new thread "http-0.0.0.0-8443-2" is created and the EJB call takes place in it. Geronimo notices that there isn't a subject and installs the default subject (using ContextManager.setCallers), which of course doesn't have the required principals.
I'm assuming the thread spawning is normal though I don't know that. We do have another web app, using Spring but not GWT, that is working correctly. Both web apps use custom LoginModules, though not the same ones. Could this be caused by the web app? Where could I look to get more information? -- View this message in context: http://www.nabble.com/EJB---Web-App-losing-Subject-tp24485373s134p24485373.html Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.
