2 Replies Latest reply on Dec 5, 2005 1:53 PM by starksm64

    Wrong SECURITY_PRINCIPAL

    tineq
    tineq Oct 25, 2005 6:50 AM

      There's a method in one of our Stateless EJB (named Log) that returns the logged in user. The code below prints out:

      User1: b
      User2: b

      Why??? Two Log EJB's were created using different InitialContexts so I would expect that:

      User1: a
      User2: b

      should be printed.

       public static InitialContext getInitialContext(String as_username, String as_password) throws Exception {
 Properties p = new java.util.Properties();
 p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
 p.put(Context.PROVIDER_URL, "localhost:1099");
 p.put(Context.SECURITY_PRINCIPAL, as_username);
 p.put(Context.SECURITY_CREDENTIALS, as_password);

 p.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
 p.put("jnp.disableDiscovery", "true");

 return new InitialContext(p);
 }

 public static void main(String[] args) throws Exception {
 InitialContext lctx1 = getInitialContext("a", "a");
 InitialContext lctx2 = getInitialContext("b", "b");

 Log llog1 = ((LogHome)PortableRemoteObject.narrow(lctx1.lookup("MobilePackage/Log"), LogHome.class)).create();
 Log llog2 = ((LogHome)PortableRemoteObject.narrow(lctx2.lookup("MobilePackage/Log"), LogHome.class)).create();

 System.out.println("User1: " + llog1.getUserId());
 System.out.println("User2: " + llog2.getUserId());
 }


      • 2350 Views
      • Tags:
        • 1. Re: Wrong SECURITY_PRINCIPAL
          tineq
          tineq Oct 25, 2005 7:37 AM (in response to tineq)

          Just to explain a little bit further: we have a web-app that stores username and password in session (i know ... that's bad) and inside servlets (jsps) is:

          InitialContext lctx = getInitialContext(user, password)
          ...
          lctx.lookup(...)
          ...
          lctx.lookup(...)

          What happenes is that sometimes methods are called with wrong principal.
          We don't actually need different principals on single Thread (like the first code). I found that this can be solved by using InitialContextFactory (instead of JndiInitialContextFactory) with multi-threaded="true" inside auth.conf file.
          Can anything similar be achieved by using JndiInitialContextFactory?

            • Actions
          • 2. Re: Wrong SECURITY_PRINCIPAL
            starksm64
            starksm64 Dec 5, 2005 1:53 PM (in response to tineq)

            The JndiLoginInitialContextFactory is outside or inside of the jboss server? Inside the multi-threaded mode is already the default. Outside it would have to be set by calling SecurityAssociation.setServer().

            I added a feature request for this option:
            http://jira.jboss.com/jira/browse/JBAS-2523

              • Actions