3 Replies Latest reply on Oct 15, 2001 3:25 AM by willievu

Problem with security and multi-threading in Tomcat 4.0

willievu Oct 10, 2001 5:41 AM

I'm using JBoss 2.4.3-Tomcat 4.0. I've an EAR that contains 2 EJB JARs and 1 WAR. In the web app, I use FORM-based authentication to let users login before EJB calls are made. Authentication does work. The user can go to some JSPs that access EJBs. However, after login and a few clicks later, the subject seems lost in Tomcat 4.0. Looking at the server log, I found

java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=findAll
, requiredRoles=[securityViewer], principalRoles=[everyone, systemDataViewer]
java.lang.SecurityException: Insufficient method permissions, principal=null, method=findAll, requir
edRoles=[securityViewer], principalRoles=[everyone, systemDataViewer]
<<no stack trace available>>

Initially all HTTP requests are carried out by thread [HttpProcessor[8080][4]], which is the thread that the user logged in with. When the above error occurred, the thread is [HttpProcessor[8080][0]].

My question is, how is security context being propagated among Tomcat's work threads that take care of HTTP requests? Should Tomcat handle it correctly internally?

1. Re: Problem with security and multi-threading in Tomcat 4.0

willievu Oct 10, 2001 7:16 AM (in response to willievu)

I found another scenario that points to a more convincing multi-threading problem. After login, I have a menu page that contains links to other pages that call EJBs. I click on one link that will load a lot of EJBs. So it takes a few seconds to process. Before Tomcat finishes loading the EJBs and displays the web page, I click on another link on the menu page. Then I get HTTP 403 (Forbidden) - You are not authorized to view this page. Then I wait a while for the first request to finish. After I click the second link again, it works. It seems like the first time-consuming request ties up Tomcat and it cannot process another request. This is a reproducible case. Can anyone reproduce it in your environment? Can anyone give me some suggestions on how to solve this problem?
Actions
2. Re: Problem with security and multi-threading in Tomcat 4.0

starksm64 Oct 11, 2001 1:13 AM (in response to willievu)

The is at least one problem with security in catalina as described by bug #468195 on sourceforge. Its not clear that what you are seeing is due to this issue.

See: http://sourceforge.net/tracker/index.php?func=detail&aid=468195&group_id=22866&atid=376685
Actions
3. Re: Problem with security and multi-threading in Tomcat 4.0

willievu Oct 15, 2001 3:25 AM (in response to willievu)

I filed a new bug for this problem. I give a sample WAR file to recreate this problem.

https://sourceforge.net/tracker/index.php?func=detail&aid=471225&group_id=22866&atid=376685
Actions

Go to original post