2 Replies Latest reply on Jun 2, 2003 1:26 PM by sgfcci

    Losing LoginContext in EJB

    sgfcci
    sgfcci May 30, 2003 3:48 PM

      I have a stateful session bean that logins so it can access a secure data access session bean. My ejbCreate looks like this:

      public void ejbCreate() {
      try {
      // Do JAAS client login
      loginContext = JaasLogin.clientLogin("dataaccess", "password");
      DataAccessHome dataAccessHome =
      (DataAccessHome) PortableRemoteObject.narrow(
      new InitialContext().lookup("DataAccessRemote"),
      DataAccessHome.class);
      dataAccess = dataAccessHome.create();
      statementList = new StatementListImpl();
      states = new States(DataSourceNames.EXPRESSWRITE, statementList);
      typeTest =
      new TypeTest(
      DataSourceNames.EXPRESSWRITE,
      DataSourceNames.WC400,
      statementList);
      } catch (Exception ex) {
      throw new EJBException("ejbCreate: " + ex.getMessage());
      }
      }

      When I try to remove the data access bean in the ejbRemove I get:

      java.lang.SecurityException: Authentication exception, principal=null

      I have to logout the context created in my ejbCreate and login again to call the data access bean's remove:

      public void ejbRemove() {
      try {
      // For some reason the priciple is not visible here, so
      // we logout old context and login to current context.
      JaasLogin.clientLogout(loginContext);
      // Do JAAS client login
      loginContext = JaasLogin.clientLogin("dataaccess", "password");
      dataAccess.remove();
      // Logout of JAAS
      JaasLogin.clientLogout(loginContext);
      } catch (Exception ex) {
      throw new EJBException("ejbRemove: " + ex.getMessage());
      }
      }

      Any ideas? Thanks....

      • 1548 Views
      • Tags:
        • 1. Re: Losing LoginContext in EJB
          haraldgliebe
          haraldgliebe May 30, 2003 6:31 PM (in response to sgfcci)

          The EJB-Spec doesn't mandate that a stateful session bean should use the security information used in the ejbCreate method for subsequent calls on the same instance, so the reauthentication is neccessary in the ejbRemove method.
          Since the user you're using seems constant, you should have a look if declaring
          <security-identity>
          <run-as>dataaccess</run-as>
          </security-identity>
          in the deployment descriptor for your bean doesn't better fits your needs.

          Regards,

          Harald

            • Actions
          • 2. Re: Losing LoginContext in EJB
            sgfcci
            sgfcci Jun 2, 2003 1:26 PM (in response to sgfcci)

            Thanks, I will have a look at that...

              • Actions