3 Replies Latest reply on Oct 15, 2001 3:25 AM by willievu

    Problem with security and multi-threading in Tomcat 4.0


      I'm using JBoss 2.4.3-Tomcat 4.0. I've an EAR that contains 2 EJB JARs and 1 WAR. In the web app, I use FORM-based authentication to let users login before EJB calls are made. Authentication does work. The user can go to some JSPs that access EJBs. However, after login and a few clicks later, the subject seems lost in Tomcat 4.0. Looking at the server log, I found

      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=findAll
      , requiredRoles=[securityViewer], principalRoles=[everyone, systemDataViewer]
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=findAll, requir
      edRoles=[securityViewer], principalRoles=[everyone, systemDataViewer]
      <<no stack trace available>>

      Initially all HTTP requests are carried out by thread [HttpProcessor[8080][4]], which is the thread that the user logged in with. When the above error occurred, the thread is [HttpProcessor[8080][0]].

      My question is, how is security context being propagated among Tomcat's work threads that take care of HTTP requests? Should Tomcat handle it correctly internally?