3 Replies Latest reply on Aug 15, 2006 8:49 AM by j2ee_junkie

    JAAS multi-threaded=true causing SecurityException principal

    sdegenaar
    sdegenaar Aug 10, 2006 5:29 AM

      We have setup a seperate tomcat installation (tried with both 5.5.9 and the latest 5.5.17) talking to jboss 4.0.2 (also tried 4.0.4). We are using JAAS authentication with a custom login module authenticating against Active Directory. We are chaining authentication using the org.jboss.security.ClientLoginModule required attribute in the tomcat login.conf. We also have the attributes set for password-stacking = "useFirstPass"; This all works perfect if we use multi-threaded=false. Pretty much single user access. If we set this to true we have very intermident results. Sometimes it works fine, then you will get SecurityExcpetion: Insufficient method permissions, principal=null. Refresh a few times and it seems to find the principal again. I have seemed to reproduce it failing everytime by calling a secured session bean method from a jsp page multiple times and doing a refresh halfway through. This will always cause it to get the Security exception. Hit the refresh a few more times and it seems to find it again. Very strange behaviour. This is possibly happening in our production system as we are using struts. Possibly it is failing a similar way in that it is calling an action and then redirecting...... I have tried many things but am lost for ideas. Has anyone seen anything like this or have any ideas...

      Much appreciated,
      cheers!

      • 2224 Views
      • Tags:
        • 1. Re: JAAS multi-threaded=true causing SecurityException princ
          j2ee_junkie
          j2ee_junkie Aug 11, 2006 10:21 AM (in response to sdegenaar)

          sdegenaar,

          We have setup a seperate tomcat installation


          How does Tomcat's security system interface with JBoss' in your environment?

          Also you may want to read security chapter of server guide at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html

          cgriffith

            • Actions
          • 2. Re: JAAS multi-threaded=true causing SecurityException princ
            sdegenaar
            sdegenaar Aug 14, 2006 11:39 PM (in response to sdegenaar)

            Cheers cgriffith,

            Well I have a custom login module (same) on both the tomcat side (common/lib) and the jboss side (lib). Tomcat points to the login conf file through the java option -Djava.security.auth.login.config and to jboss application server -Djava.naming.provider.url. On the tomcat login conf I have the org.jboss.security.ClientLoginModule required so to chain the authentication to jboss with the option of multi-threaded = "true and password-stacking = "useFirstPass". As I said before if multi-threaded is set to false it works perfectly, set to true it works intermittently.

            Thanks

              • Actions
            • 3. Re: JAAS multi-threaded=true causing SecurityException princ
              j2ee_junkie
              j2ee_junkie Aug 15, 2006 8:49 AM (in response to sdegenaar)

              I was trying to get you to do some research so you understand your situation better and then you could see what you were doing wrong. In any case...

              Your problem is that ClientLoginModule only passes security data to JBoss invocation within the current thread. However, Tomcat uses thread pools to handle requests. So one request might work fine, but the other would not. When Tomcat is embedded in JBoss, a valve is added to pipeline that ensures the security data is present on each request thread. If you want to use Tomcat outside of JBoss, you need to make sure that this valve is used. Also, since Tomcat is not using JBossSecurityMgrRealm (or its newer relative) the security data does not get flushed in JBoss when HttpSession is invalidated.

              Does this help? cgriffith

                • Actions