4 Replies Latest reply on Dec 29, 2005 10:33 AM by jwynett

SecurityAssociation principal not cleared after client login

jwynett Nov 23, 2005 2:35 PM

Hi: I'm using JBoss 4.0.3 with EJB3. I have a standalone client that accesses the server and uses the ClientLoginModule to login.

After the client process ends, the SecurityAssociation principal and credential remain set in the thread in the server. This allows another client to have access on the same thread without providing credentials.

I've tried setting 'restore-login-identity' to true and false and the same for 'multi-threaded' and this has no effect.

How can I get the SecurityAssociation to clear on the server after the client disconnects? Below is my client login code and auth.conf:


 static LoginContext lc;

 static {
 CallbackHandler handler = new MyCallbackHandler("admin", "admin");

 try {
 lc = new LoginContext("client-login", handler);
 lc.login();
 }
 catch (LoginException e) {
 e.printStackTrace();
 }
 }

 static class MyCallbackHandler implements CallbackHandler {
 private String username;
 private String password;

 public MyCallbackHandler(String username, String password) {
 this.username = username;
 this.password = password;
 }

 public void handle(Callback[] callbacks)
 throws IOException, UnsupportedCallbackException {
 for (int i = 0; i < callbacks.length; i++) {
 if (callbacks instanceof NameCallback) {
 NameCallback ncb = (NameCallback) callbacks;
 ncb.setName(username);
 }
 else if (callbacks instanceof PasswordCallback) {
 PasswordCallback pcb = (PasswordCallback) callbacks;
 pcb.setPassword(password.toCharArray());
 }
 else {
 throw new UnsupportedCallbackException
 (callbacks, "Unrecognized Callback");
 }
 }
 }
 }

client-login {
 org.jboss.security.ClientLoginModule required
 restore-login-identity="true"
 multi-threaded="true";
};

1. Re: SecurityAssociation principal not cleared after client l

starksm64 Dec 5, 2005 1:23 PM (in response to jwynett)

You need to logout in the thread that performed the initial login to clear the association.
Actions
2. Re: SecurityAssociation principal not cleared after client l

jwynett Dec 6, 2005 10:44 AM (in response to jwynett)

I've tried logging out in the client by calling lc.logout() and while that appears to log me out within the client, it doesn't appear to log me out in the server.

After the log out, I can run the program again without logging in and as long as I get the same thread in the server, the same user is logged in and I can perform the requested function.

I don't know how to logout on the server as I don't think I can guarantee that I get the same thread from the client to call a logout method. And I don't want to have every session bean method logout before exiting because, besides being a huge amount of coding, it would cause many problems when I call bean to bean within the server.

I'm sure there is something simple I am missing or doing wrong, but I can't quite see what it is.
Actions
3. Re: SecurityAssociation principal not cleared after client l

starksm64 Dec 26, 2005 9:58 AM (in response to jwynett)

Without a testcase/deployment illustrating what is being done I can't say what is going on. Create one and attach it to a jira bug report:
http://jira.jboss.com/jira/browse/JBAS
Actions
4. Re: SecurityAssociation principal not cleared after client l

jwynett Dec 29, 2005 10:33 AM (in response to jwynett)

Actually we traced the jboss source and found the bug and put it on JIRA and it has since been fixed. Jira ID is EJBTHREE-384
Actions

Go to original post