4 Replies Latest reply on May 2, 2003 9:10 AM by cobraflow

    SessionContext getCallerPrincipal

    keir

      Hi,

      We've started seeing problems since upgrading to jboss 3.0.4 from 2.4.4 with stateless session beans using the "run-as" directive.

      We have a "guest" bean, which allows access to certain items of data to users that haven't authenticated, which runs as the system role. The code that confirms the user is a guest by attempting to retrieve their details from the database, via SessionContext.getCallerPrincipal().getName(), on the assumption that if they are a guest user then they won't have a valid principal name.

      If I bounce jboss and hit the "guest" bean before any other users, everything works fine - the principal name is returned as "system" (same name as the role) which doesn't exist in the database so I am allowed access.

      However, if I log in (on another PC, I hasten to add!) as a registered user (keir@olive.co.uk), do my thing and then leave the system entirely alone for about 5 - 10 minutes and then attempt to access the data from elsewhere as a guest, I get a problem.

      The role is correctly identifed as "system", but the caller principal is returning the name of "keir@olive.co.uk", e.g. the registered user that I logged in as from a different machine 10 minutes ago.

      It's like there is a pooled instance of a SessionContext that is being re-used but not clearing down the principal name.

      Has anyone else seen anything like this?

      Any ideas as to how I can force the principal to take a different name for my guest bean? Empty would be fine! I've tried the "principal-name" tag in the ejb-jar.xml, both in the "run-as" and the "security-role" sections, but to no avail.