4 Replies Latest reply on Feb 12, 2004 3:01 PM by starksm64

    Security, multi-user environment

    chalupas
    chalupas Feb 12, 2004 2:09 AM

      My question is similar to BrianZ. He wrote:
      -----------------
      We are using SessionContext/EntityContext to get the user name for updating the db. The problem is the last user who logged in is always set for all others in a multi-user environment. Pojos were written in order to isolate the issue, but the problem did not occur. Any suggestions?
      -----------------
      starksm anwered:
      -----------------
      don't understand what your asking with regard to getCallerPrincipal(). This is the identity of the caller on the current invocation. In a multi-user environment it can change on every call. What is the relationship between the caller of an ejb and the db?
      -----------------

      I try to emulate multi-user environment with a following code:

      // User1 has admin privilegues
      AppCallbackHandler handler1 = new AppCallbackHandler(UserData.ADMIN_LOGIN, UserData.ADMIN_PASSWORD);
      LoginContext lc1 = new LoginContext("other", handler1);
      lc1.login();
      Subject subj1 = lc1.getSubject();
      Context context1 = new InitialContext();
      Object ref1 = context1.lookup("MySessionFacade");
      MySessionFacadeHome facadeHome1 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref1, MySessionFacadeHome.class);
      MySessionFacade facade1 = facadeHome1.create();
      facade1.method();

      // In server method() I put following line
      // log.debug("Principal is " + this.sessionContext.getCallerPrincipal ().getName());
      // At this time it will output >>>> Principal is admin

      // User 2 has a guest privilgues
      AppCallbackHandler handler2 = new AppCallbackHandler(UserData.GUEST_LOGIN, UserData.GUEST_PASSWORD);
      LoginContext lc2 = new LoginContext("other", handler2);
      lc2.login();
      Subject subj2 = lc2.getSubject();
      Context context2 = new InitialContext();
      Object ref2 = context2.lookup("MySessionFacade");
      MySessionFacadeHome facadeHome2 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref2, MySessionFacadeHome.class);
      MySessionFacade facade2 = facadeHome2.create();

      facade2.method();
      // At this time it will output >>>> Principal is guest

      //****

      // Call facade1 again ....
      facade1.method();
      // At this time it will output >>>> Principal is guest

      What code should I put to line marked //**** for call facade1.method();
      whith admin role?
      As I can see from starksm answer I must relogin before EACH method() call?
      Probably this situation taking place in servlets/jsp, which lives in same JVM.

      • 5990 Views
      • Tags:
        • 1. Re: Security, multi-user environment
          starksm64
          starksm64 Feb 12, 2004 2:25 AM (in response to chalupas)

          Yes, the caller identity must be established before each call, so if you keep switching identies you have to keep logging in as the new caller.

            • Actions
          • 2. Re: Security, multi-user environment
            chalupas
            chalupas Feb 12, 2004 3:23 AM (in response to chalupas)

            Thanks for your help. Situation becomes clear.
            But now I don't understand where login procedures should be placed.
            I use Tomcat/Jboss and restrict access to EJB by specifying security domain, configuring ejb-jar.xml etc...
            My assumption is to put login procedures code to BusinessDelegate class and call it before each remote method invokes.
            Is it right? What do you advise?

              • Actions
            • 3. Re: Security, multi-user environment
              chalupas
              chalupas Feb 12, 2004 3:55 AM (in response to chalupas)

              And last question. Imagine a following code fragment, which is used by client:

              public class MyBusinessDelegate {
              MySessionFacadeHome facadeHome;
              MySessionFacade facade;
              String user_name;
              String user_pass;
              private void MyBusinessDelegate() {
              // All required actions for correct initialization facadeHome and facade as described
              }
              public void login() {
              // All required actions to login as described above discussion
              }

              public void method() {
              facade.method();
              }

              }

              In multi-user, multi-thread environment (servlet):
              1) User A creates a new instance of MyBusinessDelegate class;
              MyBusinessDelegate InstA = new MyBusinessDelegate();
              2) User B creates a new instance of MyBusinessDelegate class;
              MyBusinessDelegate InstB = new MyBusinessDelegate();
              3) User A call login();
              4) User B call login();
              5) User A call method();
              In step 5 User A call method() as user B.

              Does it mean than login() and method() should be syncronized?
              Any ideas?




                • Actions
              • 4. Re: Security, multi-user environment
                starksm64
                starksm64 Feb 12, 2004 3:01 PM (in response to chalupas)

                No, provided you use the ClientLoginModule in multi-threaded mode the security association is specific to a thread.

                  • Actions