1 2 Previous Next 15 Replies Latest reply on May 28, 2004 2:35 PM by starksm64

    Very Very Urgent !! Multiple User

    anbenham

      Hi, I have a strange behavior in my application

      If a user A tries to log on to the application, and user B is already logged on, sometimes, the user A is logged as B. That is request.getUserPrincipal() gives the principal of B.

      What´s wrong ????

        • 1. Re: Very Very Urgent !! Multiple User
          fenilya

          What kind of applicatio do you have? Do you make use of jsp/servlets? HTTP sessions? If so, how do you keep track of Appserver sessions?

          • 2. Re: Very Very Urgent !! Multiple User
            starksm64

            Using what version of jboss?

            • 3. Re: Very Very Urgent !! Multiple User
              anbenham

              I am using 3.2.3.
              How to kkep track of appserver sessions?

              • 4. Re: Very Very Urgent !! Multiple User
                starksm64

                Then show the code that is having the problem and describe how you are setting up the security. The request.getUserPrincipal() value is only valid in the context of the request thread that entered the servlet service method.

                • 5. Re: Very Very Urgent !! Multiple User
                  anbenham

                  Hi,

                  Here are my details:

                  RuntimeEnvironment:
                  JBoss 3.2.3 with Tomcat 4.1

                  Configuration:
                  1-Single Sign On in Tomcat enabled
                  2-I Use my own Implementation for the LoginModule
                  3-I use my own Implementation of the Principal

                  Implementation:

                  LoginModule

                  public boolean commit() throws LoginException {
                   if (!loginOk) return false;
                   Set principals = subject.getPrincipals();
                   //add Principal
                   principals.add(getIdentity());
                   // Add Roles
                   Group[] roleSets = getRoleSets();
                   for (int g = 0; g < roleSets.length; g++) {
                   Group group = roleSets[g];
                   String name = group.getName();
                   Group subjectGroup = createGroup(name, principals);
                   if (subjectGroup instanceof NestableGroup) {
                   SimpleGroup tmp = new SimpleGroup ("Roles");
                   subjectGroup.addMember(tmp);
                   subjectGroup = tmp;
                   }
                   // Copy the group members to the Subject group
                   Enumeration members = group.members();
                   while (members.hasMoreElements()) {
                   Principal role = (Principal) members.nextElement();
                   subjectGroup.addMember(role);
                   }
                  }
                  return true;
                  }
                  
                  public Group[] getRoleSets() throws LoginException {
                  
                  SimpleGroup userRoles = new SimpleGroup("Roles");
                  SimpleGroup callerPrincipalGroup = new SimpleGroup("CallerPrincipal");
                  
                  Set set = new HashSet();
                  //Roles to Group "Roles"
                  try {
                   set = (Set) bereMgr.getBenutzerrollen();
                  } catch (DzException e) {
                   throw new LoginException(e.getMessage());
                  }
                  Iterator it = set.iterator();
                  while (it.hasNext()) {
                   String rolle = (String) it.next();
                   //Add each role to the "Roles" principal
                   userRoles.addMember(new BereFunktion(rolle));
                  }
                  
                  //Principal ins Group "CallerPrincipal"
                  callerPrincipalGroup.addMember(getIdentity());
                  Group[] roleSets = { userRoles, callerPrincipalGroup };
                  return roleSets;
                  }
                  


                  Getting my Implementation of the principal DZPrincipal

                  Principal principal = SecurityAssociation.getPrincipal();
                  if (principal instanceof DZPrincipal)
                   return (DZPrincipal) principal;
                  else{
                   Subject subject = SecurityAssociation.getSubject();
                   Set principals = subject.getPrincipals();
                   Iterator i = principals.iterator();
                   while (i.hasNext()) {
                   Principal p = (Principal) i.next();
                   if (p instanceof DZPrincipal)
                   return (DZPrincipal)p;
                   }
                  }
                  
                  

                  I use this methode to get my Principal, because request.getUserPrincipal() sometimes returns an Instance of SimplePrincipal.


                  Is this Information sufficient?


                  • 6. Re: Very Very Urgent !! Multiple User Problem
                    anbenham

                    Scott please would you reply to this question?
                    I still have this problem.

                    Sometimes when many users work simultaneously, one user gets the session of the other.
                    see my configuratioon and implementation over here.
                    My logout implementation:

                    http://www.jboss.org/index.html?module=bb&op=viewtopic&t=49616

                    thanx in advance
                    best regards
                    anis

                    • 7. Re: Very Very Urgent !! Multiple User
                      starksm64

                      Create a bug report on sourceforge with a sample that illustrates the problem and include the login module and sso configurations.

                      http://sourceforge.net/tracker/?group_id=22866&atid=376685

                      • 8. Re: Very Very Urgent !! Multiple User
                        anbenham

                        Hi,

                        I think I found a reason for my problem.

                        I have noticed that when I try to call a secure page in my App

                        SecurityAssosciation.getPrincipal()
                        sometimes returns a Principal that is logged in another session/thread.

                        I have added a test output in the login page to see the contents of
                        request.getUserprincipal()
                        and
                        SecurityAssosciation.getPrincipal()
                        .
                        Sometimes when another user is logged on, I get the following case:
                        request.getRemoteUser() : null
                        request.getUserprincipal() : null
                        SecurityAssosciation.getPrincipal(): anis

                        Is this normal?



                        • 9. Re: Very Very Urgent !! Multiple User
                          starksm64

                          I can't say without seeing what your code is doing. The SecurityAssociation api is really not a public api. Its a thread local in the server so you cannot be seeing another thread's association. The request.getUserprincipal() is null whenever you access an unsecured page.

                          • 10. Re: Very Very Urgent !! Multiple User
                            anbenham

                            OK, i´ll try to build a sample showing how my application is working. BTW how to upload code here?

                            Anyway it´s sure, that calling SecurityAssosciation.getPrincipal() doesn´t always return null if the user is not logged in. Sometimes it returns another principal of a user logged in in another session.

                            Best regards anis

                            • 11. Re: Very Very Urgent !! Multiple User
                              anbenham

                              How can I upload code to show how my application is working?

                              • 12. Re: Very Very Urgent !! Multiple User
                                starksm64

                                By creating a bug report on sourceforge as I mentioned earlier. Bug reports are initiated here:

                                http://sourceforge.net/tracker/?group_id=22866&atid=376685

                                • 13. Re: Very Very Urgent !! Multiple User
                                  bjornbak

                                  I have similar symptoms with JBoss_3.2.3-Jetty_4.2.14, SecurityFilter, S. Radford's com.aegus.securityfiler.JBossRealmAdapter and a custom LoginModule.

                                  Our system is rather complex so I can't describe it here, but my investigations seems to point on a mixup of session objects in the ejb or security layers..

                                  • 14. Re: Very Very Urgent !! Multiple User
                                    anbenham
                                    1 2 Previous Next