13 Replies Latest reply on Apr 27, 2009 12:21 PM by karltraunmueller

    Authentification problems in Jboss 5

    tgueze

      I am using Jboss 5 app server and I have some problems when using jaas authentification.

      Different users login and logout successively and call beans methods.
      On the client side, I have a custom login module which perform authentification.
      On the server side, I use the ClientLoginModule.
      In the beans, I retrieve the EJBContext with a lookup and get the caller principal.
      Sometimes it works, but sometimes, the caller returned doesn't correspond to the user who made the login. It corresponds to a user who was logged before and who logout.

      final Object o = new InitialContext().lookup("java:comp/EJBContext");
      final Class< ? > ejbContextClass = Class.forName("javax.ejb.EJBContext");
      final Method getCallerPrincipalMethod = ejbContextClass.getMethod("getCallerPrincipal");
      final Principal principal = (Principal) getCallerPrincipalMethod.invoke(o);
      final String callerId = principal.getName();
      


      Any idea? Do I forgot something?

      Thanks.

        • 1. Re: Authentification problems in Jboss 5
          ragavgomatam

          Try setting the Cache in login-config.xml as zero

          • 2. Re: Authentification problems in Jboss 5
            tgueze

            Thanks for the response ragavgomatam but it didn't work.

            I'm using the Jboss 5 RC2 version and I have the same trouble.
            Same configuration : a login module performing the authentification on the client side, the ClientLoginModule on the server side.

            I'm using EJB 3 stateless session beans.

            So a user is logged perform some operations on the beans, then it log out and log an different user and it perform some operations too. I have run these steps in debug mode, and the login is committed, so I assume my new user is logged.
            In the server side, when I retrieve the caller name in the beans, I get the old user name.

            The first user is also the first caller of the beans.
            I setted the cache to 0 and set the multi-threaded and restore-login-identity to true but it had no effect.

            Any idea?
            Thanks in advance.

            • 3. Re: Authentification problems in Jboss 5
              jaikiran

              I may be way off target, but i think this has something to do with the ClientLoginModule. See if this wiki is of any help http://wiki.jboss.org/wiki/ClientLoginModule

              • 4. Re: Authentification problems in Jboss 5
                tgueze

                I agree and I have read the wiki page.
                I tried to set the different options but it didn't solve my problem.

                I certainly miss something in the configuration, but I can't figure out what...

                • 5. Re: Authentification problems in Jboss 5
                  tgueze

                  Nobody have a clue?

                  The EJB Context should be refresh between two calls, right?
                  The user admin is the first caller of my EJB (so creating the instances) and I get him as principal name even after logout and login of another user. Are they any configuration in Jboss concerning this point?

                  Thanks.

                  • 6. Re: Authentification problems in Jboss 5
                    hanselmo

                    I've the same problems.
                    I'm testing my ejbs with junit and I try to access with ClientLoginModule (JAAS method) and also with JndiLoginInitialContextFactory in the lookup properties (JNDI method) methods works well in jboss-4.2.3 but not in jboss-5.0.0.CR2.

                    1) JndiLoginInitialContextFactory doesn't work anymore.
                    2) ClientLoginModule works but I've your problem. I think it's bug. Try to get the subject with the jboss API SecurityAssociation.getSubject(). It works but it's just a trick.

                    • 7. Re: Authentification problems in Jboss 5
                      tgueze

                      I feel less alone :)

                      I don't know for the JndiLoginInitialContextFactory.
                      Thanks for the work around, it works in my case but I cannot use it.

                      So, I have created a jira issue : https://jira.jboss.org/jira/browse/JBAS-5995

                      • 8. Re: Authentification problems in Jboss 5
                        hanselmo

                        Some news...my test works if I make again the lookup of the ejb after the second loginContext.login().
                        I think the workaround now for you is to make new ejb lookup after every loginContext.login() (just for stateless ejb).

                        • 9. Re: Authentification problems in Jboss 5
                          tgueze

                          I've just tried but it didn't work for me.

                          Strange issue...

                          • 10. Re: Authentification problems in Jboss 5
                            hanselmo

                            sorry...I tested better and I've the same problem...

                            • 11. Re: Authentification problems in Jboss 5
                              jaikiran

                              I tested this on 4.2.3 and 5.0 CR2. Works on 4.2.3 but not on 5.0 CR2. I looked at the source code of JBoss-4.2.x and JBoss-5. Looks like this is a bug in JBoss-5 where the interceptor (Ejb3AuthenticationInterceptorv2) doesn't seem to be popping the subject.

                              If someone from the JBoss dev team confirms this, you might want to file a JIRA with a simple application demonstrating this issue.

                              • 12. Re: Authentification problems in Jboss 5

                                Hi all,

                                we have also experienced these problems - the Principal associated with Stateless session beans seemed to be randomly wrong.

                                I think the problem is in org.jboss.ejb3.EJBContextImpl.getCallerPrincipal:

                                public Principal getCallerPrincipal()
                                 {
                                 if(beanPrincipal == null)
                                 {
                                 EJBContainer ec = (EJBContainer) container;
                                 SecurityDomain domain = ec.getAnnotation(SecurityDomain.class);
                                 Principal callerPrincipal = ejbContextHelper.getCallerPrincipal(
                                 SecurityActions.getSecurityContext(),
                                 rm, domain);
                                
                                 // This method never returns null.
                                 if (callerPrincipal == null)
                                 throw new java.lang.IllegalStateException("No valid security
                                 context for the caller identity");
                                
                                 beanPrincipal = callerPrincipal;
                                 }
                                 return beanPrincipal;
                                 }
                                


                                The beanPrincipal associated with the SLSB is lazy initialized, but never reset thereafter.

                                So, once the SLSB goes back into the pool (after a first invocation), and is later reused for another invocation, the prinicipal isn't correctly reassociated with the current principal - the principal from the first call is still there.

                                The problem is still present in JBoss 5.0.0.GA, JBAS-5995 is still open.

                                Can anyone comment on this?

                                regards,
                                Karl


                                • 13. Re: Authentification problems in Jboss 5

                                  I have created a simple test scenario (that should demonstrate the issue) and attached it to the Jira.

                                  Can anyone comment on this?

                                  regards,
                                  Karl