5 Replies Latest reply on Dec 7, 2004 6:45 PM by starksm64

    Using security to end a long-running request?

    craigdberry

      Our application involves long-running (sometimes 3+ hours) transactions in some circumstances. Occasionally, one of these is started accidentally, but there is no obvious way to stop such a task once it's being executed inside the EJB container. We could use a polled flag to signal a desired stop, but that would either be a lot of overhead or leave some cases uncovered depending on where we put the checks for that flag.

      It occurs to me that it might work to temporarily cancel the security authorization of the user on whose behalf the thread is executing. Since most of our EJB methods are JAAS protected based on user role, if I removed all roles from the given user the thread would rather quickly throw a security exception, neatly ending the request. Then I could put the roles back onto the user.

      The problem is that I can't figure out how to make this happen. I've found APIs for flushing credentials for a particular user, but the credentials appear only to be checked once per request, rather than on each new method entry. Is there some other way to immediately "knock out" the authorization roles for a particular user, in a way that will affect currently executing requests?

      Failing that, any ideas on other non-polling-based solutions?