Security, multi-user environment
chalupas Feb 12, 2004 2:09 AMMy question is similar to BrianZ. He wrote:
-----------------
We are using SessionContext/EntityContext to get the user name for updating the db. The problem is the last user who logged in is always set for all others in a multi-user environment. Pojos were written in order to isolate the issue, but the problem did not occur. Any suggestions?
-----------------
starksm anwered:
-----------------
don't understand what your asking with regard to getCallerPrincipal(). This is the identity of the caller on the current invocation. In a multi-user environment it can change on every call. What is the relationship between the caller of an ejb and the db?
-----------------
I try to emulate multi-user environment with a following code:
// User1 has admin privilegues
AppCallbackHandler handler1 = new AppCallbackHandler(UserData.ADMIN_LOGIN, UserData.ADMIN_PASSWORD);
LoginContext lc1 = new LoginContext("other", handler1);
lc1.login();
Subject subj1 = lc1.getSubject();
Context context1 = new InitialContext();
Object ref1 = context1.lookup("MySessionFacade");
MySessionFacadeHome facadeHome1 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref1, MySessionFacadeHome.class);
MySessionFacade facade1 = facadeHome1.create();
facade1.method();
// In server method() I put following line
// log.debug("Principal is " + this.sessionContext.getCallerPrincipal ().getName());
// At this time it will output >>>> Principal is admin
// User 2 has a guest privilgues
AppCallbackHandler handler2 = new AppCallbackHandler(UserData.GUEST_LOGIN, UserData.GUEST_PASSWORD);
LoginContext lc2 = new LoginContext("other", handler2);
lc2.login();
Subject subj2 = lc2.getSubject();
Context context2 = new InitialContext();
Object ref2 = context2.lookup("MySessionFacade");
MySessionFacadeHome facadeHome2 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref2, MySessionFacadeHome.class);
MySessionFacade facade2 = facadeHome2.create();
facade2.method();
// At this time it will output >>>> Principal is guest
//****
// Call facade1 again ....
facade1.method();
// At this time it will output >>>> Principal is guest
What code should I put to line marked //**** for call facade1.method();
whith admin role?
As I can see from starksm answer I must relogin before EACH method() call?
Probably this situation taking place in servlets/jsp, which lives in same JVM.