3 Replies Latest reply on Jul 8, 2009 11:10 AM by ips

    problems using secured remote EJB interface to Profile Servi

    ips

      https://jira.jboss.org/jira/browse/JOPR-263 is preventing us from using the secured remote EJB interface from the jbas5 plugin running within an Enterprise Jopr Agent. Note, we are able to use the non-secured non-EJB remote interface without any issues, but this doesn't do us much good, since this interface will be disabled in EAP5 anyway.

      The issue stems from the following existing code in the EMS library (a JMX client library, which is used by the jbas5 plugin for remote JMX calls), which was added as a workaround for https://jira.jboss.org/jira/browse/JOPR-9:

      SecurityAssociation.clear();
       SecurityAssociation.setPrincipal(new SimplePrincipal(principal));
       SecurityAssociation.setCredential(credential);
      


      This code is called every time a JMX invocation is made via EMS, in order to ensure the principal and credential, which are stored in ThreadLocals, have the correct values for the current thread. This is necessary, since a single Jopr Agent can be used to manage multiple JBAS instances, each with different JNP usernames/passwords. The problem is that the above code appears to have the side effect of resetting the JBoss-Security SecurityContext for the current thread to null, which causes subsequent calls to the EJB Profile Service proxies to fail with "javax.ejb.EJBAccessException: Caller unauthorized" exceptions.

      I've written a simple test client that demonstrates the issue:

      https://svn.jboss.org/repos/jopr/trunk/etc/jbas5-ejb-client/

      How can we fix JOPR-263 without reintroducing JOPR-9?

      Thanks,
      Ian