1 Reply Latest reply on Sep 20, 2006 10:06 AM by annegret

Strange: access rights lost

annegret Sep 18, 2006 10:22 AM

Hi,

I've a very strange phenomenia which does not occur every time but often enough so I have to try to find a solution.

JBoss 4.0.4GA, JDK 1.5.0_05, Windows XP

I've configured a JAAS login which is running fine over a long time in our application. Now in a newer version of our application we added funtionality and strange things happen.
Our application is based on applets, each applet calls a stateful sessionbean which is secured. Before starting the first applet for editing data the user has to login over a LoginApplet which executes a JAAS login process.
Now suddenly when the user changes from one applet to a different applet the username and access rights are no longer available. On starting a new applet the JAAS login process is executed (transparently for the user) and I can see in the logfile that the username is now "anonymus". I've added the anonymus for unauthenticated access because we have one SessionBean for which we need unauthenticated access. But here it's still the logged-in user who is calling the sessionbean and gets now exceptions because of missing access rigths.

It seems that something is throwing out the current user.
We have running an MBean server that calls login / logout with the same username but this is working already for a long time and didn't cause any trouble.

We added a new EJB3 MBean that calls login and logout, may this cause the problems ?

We added funtionality that exchanges data with a different application: On JBoss startup the EJB3 Bean creates an instances of a class and registers this class for callbacks on the other application. When a special trigger occurs the other application calles the callback method. In this method a login / logout will be done.
This is the only thing I can imagine that may cause trouble, I don't know which thread is calling login / logout.
Otherwise I'm not sure, but the problem seems to occur without the callback.

I tried to change the log4j config to see which thread is calling which functions, but I didn't succeed in reproducing the error. I will try to get more information.

Scott, any other guy, do you have any idea what may throw out a current user ?
Any idea what I can try ?

One idea from me is to do not call login / logout in the callback function directly but get a reference to the EJB3 MBean over JNDI and let call login / logout in this context. Do you think this would change anything ?

Any idea would be appreciated

Annegret

1. Re: Strange: access rights lost

annegret Sep 20, 2006 10:06 AM (in response to annegret)

Hi again,

I found out that not the access rights were lost but only the username has been overwritten (which we use to get additional information from a database).

I've added support for an unauthenticated identity in our selfwritten ServerLoginModule the same way it's done in the sample LoginModules in JBoss. But the addition of an empty roleset for unauthenticated in the commit() method seems to overwrite the username of the first logged in user in the cache.
In already created Stateful SessionBeans the sessioncontext was still ok, but in all stateful SessionBeans created after an unauthenticated access the username in the sessioncontext has been overwritten by anonymous.

So I removed the addition of an empty roleset for unauthenticated identity and now it seems to work (hoperfully ;-) )

Is there a known bug in JBoss or in the ServerLoginModules ?

Annegret
Actions