On Jul 14, 2009, at 11:39 AM, Kory Markevich wrote:
A web app (built with Spring & GWT) we're building is currently
having issues
with security and EJBs. Some calls made by the app to EJBs are
throwing
"Unauthorized Access by Principal Denied" exceptions. Investigating
this it
seems that whenever a new thread in geronimo is started to service
the call
the auth credentials aren't being copied. For example,
ContextManager.login
is called in thread "http-0.0.0.0-8443-1", and subsequent EJB calls
work
correctly. Some time later a new thread "http-0.0.0.0-8443-2" is
created
and the EJB call takes place in it. Geronimo notices that there
isn't a
subject and installs the default subject (using
ContextManager.setCallers),
which of course doesn't have the required principals.
I'm assuming the thread spawning is normal though I don't know
that. We do
have another web app, using Spring but not GWT, that is working
correctly.
Both web apps use custom LoginModules, though not the same ones.
Could this
be caused by the web app? Where could I look to get more information?
What creates the new non-working thread? In geronimo we generally
don't assume anything about the relationship between threads so if you
want the new thread to get a particular security context you'll have
to install it youself.
Something like
final Subject threadSubject = ContextManager.getCurrentCaller();
Runable work = new Runable() {
public void run() {
ContextManager.setCallers(threadSubject, threadSubject);
...//do work
//thread expires
};
}
I probably have all the details wrong but this idea should work.
If you use a thread from a thread pool (which I'd recommend) you
should uninstall the security context when you are done with the thread.
hope this helps
david jencks
--
View this message in context:
http://www.nabble.com/EJB---Web-App-losing-Subject-tp24485373s134p24485373.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
