4 Replies Latest reply on Nov 10, 2004 4:48 AM by henkkacre

SecurityProxy reset?

henkkacre Nov 5, 2004 6:53 AM

Hi,

My app architecture is WebStart app, session beans and db on server;

I have implemented a security proxy for my session bean.
It works fine, instantiates, and serves well as proxy during method invokations.
The need for it is simple, to do more sophisticated security checks than the role based that is used for my session beans methods also.

The problem arises when the proxy decides that the action is not allowed and throws SecurityException, as it should. This leads to a case where no more calls through this proxy can be made, thus the session bean is not usable and client cannot make any actions that need the session bean leading to need of resetting whole session bean.

Is there a way of resetting or starting the Proxy? I am using at the moment the default security proxy factory, are there listeners for these factories for me to implement so that when exception happends the factory could initiate a new proxy?

Or have I just done something stupid?

Henri

1. Re: SecurityProxy reset?

starksm64 Nov 8, 2004 12:36 PM (in response to henkkacre)

Show your proxy code.
Actions
2. Re: SecurityProxy reset?

henkkacre Nov 9, 2004 8:13 AM (in response to henkkacre)

Hi,

Here's the code I am using in my test proxy. When the method test is called inside session bean, the SecurityException is thrown. If I try
to call any other method session bean after that nothing happens. Could it be in the use of ThreadLocal? isnt it needed for multiple user control?

package org;

import java.lang.reflect.*;
import javax.ejb.*;
import javax.naming.*;

import org.jboss.logging.*;

public class TestSecurityProxy implements org.jboss.security.SecurityProxy {

private Logger log = null;
private ThreadLocal _ctx = new ThreadLocal();

/**
* init
*
* @param class0 Class
* @param class1 Class
* @param object Object
*/
public void init(Class class0, Class class1, Object object) {
log = Logger.getLogger(this.getClass().getName());
p("Init security proxy");
}

/**
* init
*
* @param class0 Class
* @param class1 Class
* @param class2 Class
* @param class3 Class
* @param object Object
*/
public void init(Class class0, Class class1, Class class2, Class class3,
Object object) {
log = Logger.getLogger(this.getClass().getName());
p("Init security proxy");
}

/**
* invokeHome
*
* @param method Method
* @param objectArray Object[]
*/
public void invokeHome(Method method, Object[] objectArray) {
p("Invoke Home");
}

public void setEJBContext(EJBContext ctx) {
p("setEJBContext " + ctx);
_ctx.set(ctx);
}

public void invoke(Method m, Object[] args, Object bean) throws
SecurityException {

if (bean instanceof TestSessionBean) {
EJBContext ctx = (EJBContext) _ctx.get();
String caller = ctx.getCallerPrincipal().getName();
TestSessionBean t = (TestSessionBean) bean;
String operation = m.getName();
p("invoke method " + operation + " in bean " + t.toString() +
" called by " + caller);

if (m.getName().equals("test")) {
int amount = 3;
if(amount > 0)
throw new SecurityException(
"Failure");
}
}
else {
throw new SecurityException("Invalid bean instance for security proxy");
}
}
/**
* p1
*
* @param string String
*/
private void p(String string) {
if(log != null)
log.debug(string);
}
}
Actions
3. Re: SecurityProxy reset?

starksm64 Nov 10, 2004 2:35 AM (in response to henkkacre)

If this is a stateful session bean it will be discarded after a SecurityException as this is an unchecked exception. You should be getting a NoSuchObjectException in this case. If its a stateless session bean then I don't know what the problem is. You would need to create a bug report on sourceforge with an example.

http://sourceforge.net/tracker/?group_id=22866&atid=376685
Actions
4. Re: SecurityProxy reset?

henkkacre Nov 10, 2004 4:48 AM (in response to henkkacre)

Hi,

It is a Stateful SessionBean. And yes it throws NoSuchObjectException on the next method call on the bean, I have now circumvented this by doing a relogin after the security exception.

Thanks,

Henri
Actions

Go to original post