13 Replies Latest reply on Jan 12, 2010 10:24 AM by crussell42

    ejb3 via https (servlet-invoker) looses user credentials

    crussell42

      jboss 5.1.0GA remoting 2.5.1

       

      I am using the servlet-invoker.war method of accessing an SLSB via https.

      Works great until my Swing client is idle for more than 60 seconds.

      The next method the client tries to calls on the SLSB returns

       

      Exception:Invalid User

       

      I assume this is happening because of either a http session timeout,

      socket or sslsocket time out.

      As per http://community.jboss.org/message/368816#368816

       

      I have tried changing the InvokerLocator to include ?timeout=300000&invokerDestructionDelay

      Neither seems to help with this situation. Also tried adding this paramater to the RemoteBinding as well

      Nothing seems to help.

       

      What am I missing here. Why and where do I configure this 60 second dumping of the ejb inokers user credentials.

       

      ============================

      The pertinent client code

              securityClient = SecurityClientFactory.getSecurityClient();       
              securityClient.setSimple(username, password)
              securityClient.login();


              Properties props = new Properties();

              props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory");
              props.put("java.naming.provider.url", "https://10.0.0.75:8443/invoker/JNDIFactory");
              props.put("java.naming.factory.url.pkgs", "org.jboss.naming");
              Context jndiContext = new InitialContext(props);

       

       

      =============================

      My SLSB has the following RemoteBinding:

      @RemoteBinding(clientBindUrl = "https://10.0.0.75:8443/servlet-invoker/SSLServerInvokerServlet/?timeout=300000&invokerDestructionDelay=300000")

       

      ==============================

      Here is my servlet-invoker-service.xml

      <?xml version="1.0" encoding="UTF-8"?>


      <server>


        <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=servlet"
          display-name="Servlet transport Connector">
          <attribute name="InvokerLocator">servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet/?timeout=300000&amp;invokerDestructionDelay=300000</attribute>
          <attribute name="Configuration">
            <handlers>
              <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
            </handlers>
          </attribute>
        </mbean>


        <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=sslservlet"
          display-name="Servlet transport Connector">
      <attribute name="InvokerLocator">sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet/?timeout=300000&amp;invokerDestructionDelay=300000</attribute>

       

          <attribute name="Configuration">

            <handlers>
              <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
            </handlers>
          </attribute>
        </mbean>

      </server>

       

      =============================

      Here is the deploy/servlet-invoker.war/WEB-INF/web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE web-app PUBLIC
         "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
         "http://java.sun.com/dtd/web-app_2_3.dtd">

      <web-app>

          <servlet>
              <servlet-name>ServerInvokerServlet</servlet-name>
              <description>The ServerInvokerServlet receives requests via HTTP
                 protocol from within a web container and passes it onto the
                 ServletServerInvoker for processing.
              </description>
              <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class>
           
              <init-param>
                  <param-name>locatorUrl</param-name>
                  <param-value>servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet/?timeout=300000&amp;invokerDestructionDelay=300000</param-value>
                  <description>The servlet server invoker</description>
              </init-param>

       


              <load-on-startup>1</load-on-startup>
          </servlet>

       

          <servlet>
              <servlet-name>SSLServerInvokerServlet</servlet-name>
              <description>The ServerInvokerServlet receives requests via HTTPS
                 protocol from within a web container and passes it onto the
                 ServletServerInvoker for processing.
              </description>
              <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class>
           
              <init-param>
                  <param-name>locatorUrl</param-name>
                  <param-value>sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet/?timeout=300000&amp;invokerDestructionDelay=300000</param-value>
                  <description>The servlet server invoker</description>
              </init-param>

       

              <load-on-startup>2</load-on-startup>
          </servlet>
        
          <servlet-mapping>
              <servlet-name>ServerInvokerServlet</servlet-name>
              <url-pattern>/ServerInvokerServlet/*</url-pattern>
          </servlet-mapping>

       

          <servlet-mapping>
              <servlet-name>SSLServerInvokerServlet</servlet-name>
              <url-pattern>/SSLServerInvokerServlet/*</url-pattern>
          </servlet-mapping>
      </web-app>

        • 1. Re: ejb3 via https (servlet-invoker) looses user credentials
          wolfc
          Could you post the full stack trace of the 'Invalid User' Exception?
          • 2. Re: ejb3 via https (servlet-invoker) looses user credentials
            crussell42
                Exception:Invalid User
                Detailed error stack trace:
                org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:165)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:421)
                org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:388)
                org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:404)
                org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:142)
                org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:171)
                javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
                javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                java.lang.Thread.run(Thread.java:637)
                org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:211)
                org.jboss.remoting.Client.invoke(Client.java:1724)
                org.jboss.remoting.Client.invoke(Client.java:629)
                org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
                $Proxy4.invoke(Unknown Source)
                org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
                org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
                $Proxy3.queryAS400PolicyApps(Unknown Source)
                com.hochheim.amproxy.OnlineInquiryPolicyFinderProxyTask.doActualWork(OnlineInquiryPolicyFinderProxyTask.java:54)
                com.hochheim.taskutil.MonitorableTaskImpl$1.call(MonitorableTaskImpl.java:83)
                java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
                java.util.concurrent.FutureTask.run(FutureTask.java:138)
                java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
                java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
                java.lang.Thread.run(Thread.java:619)
                org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:72)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
                org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
                $Proxy4.invoke(Unknown Source)
                org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
                org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
                $Proxy3.queryAS400PolicyApps(Unknown Source)
                com.hochheim.amproxy.OnlineInquiryPolicyFinderProxyTask.doActualWork(OnlineInquiryPolicyFinderProxyTask.java:54)
                com.hochheim.taskutil.MonitorableTaskImpl$1.call(MonitorableTaskImpl.java:83)
                java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
                java.util.concurrent.FutureTask.run(FutureTask.java:138)
                java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
                java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
                java.lang.Thread.run(Thread.java:619)

            • 3. Re: ejb3 via https (servlet-invoker) looses user credentials
              crussell42

              Anyone know how to set how long EJB3 user credentials are cached?

              Think this is somehow the issue but I dont know how to configure this.

               

              I set org.jboss.remoting priority to DEBUG on server side

              and as long as my next method invocation on the EJB3 is within 60 seconds, I get the following

              which looks like the user credentials are being tested against some cache of ejb method invocation credentials.

              Great, just how do I keep those cache entries alive longer than 60 seconds??

              Please ANY help greatly appreciated.

               

              12:51:12,893 TRACE [SecurityRolesAssociation] Setting threadlocal:null
              12:51:12,900 TRACE [Hochheim] Begin isValid, principal:185436, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@41671bc1[Subject(1072935637).principals=org.jboss.security.SimplePrincipal@1571561967(185436)org.jboss.security.SimpleGroup@424398532(Roles(members:participant,principal,185436,agent)),credential.class=java.lang.String@1121675292,expirationTime=1263237041793]
              12:51:12,900 TRACE [Hochheim] Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@41671bc1[Subject(1072935637).principals=org.jboss.security.SimplePrincipal@1571561967(185436)org.jboss.security.SimpleGroup@424398532(Roles(members:participant,principal,185436,agent)),credential.class=java.lang.String@1121675292,expirationTime=1263237041793];credential.class=java.lang.String@1121675292
              12:51:12,900 TRACE [Hochheim] End validateCache, isValid=true
              12:51:12,901 TRACE [Hochheim] End isValid, true
              12:51:12,901 TRACE [LogAuditProvider] [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=185436;method=queryAS400PolicyApps;
              12:51:12,931 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              12:51:12,932 TRACE [EJBPolicyModuleDelegate] method=public java.util.List com.hochheim.amproxy.ejb.AgencyManagerProxyBean.queryAS400PolicyApps(com.hochheim.data.PolicyQuery), interface=Remote, requiredRoles=Roles(member,participant,)
              12:51:12,932 TRACE [LogAuditProvider] [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@114b46e6}:method=public java.util.List com.hochheim.amproxy.ejb.AgencyManagerProxyBean.queryAS400PolicyApps(com.hochheim.data.PolicyQuery):ejbMethodInterface=Remote:ejbName=AgencyManagerProxyBean:ejbPrincipal=185436:MethodRoles=Roles(member,participant,):securityRoleReferences=null:callerSubject=Subject:
                   Principal: 185436
                   Principal: Roles(members:participant,principal,185436,agent)
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@114b46e6;
              12:51:13,067 INFO  [AgencyManagerProxyBean] SELECT B.NISRCH as searchname, CONCAT(CONCAT(CONCAT(CONCAT(CONCAT(CONCAT(TRIM(B.NIBLNR),' '),TRIM(B.NISTNM)),' '),TRIM(B.NIAPT#)),' '),TRIM(B.NIADR2)) as streetaddress, CONCAT(CONCAT(CONCAT(CONCAT(CONCAT(CONCAT(TRIM(C.NIBLNR),' '),TRIM(C.NISTNM)),' '),TRIM(C.NIAPT#)),' '),TRIM(C.NIADR2)) as locaddress, B.NICITY as city, B.NISTAT as state, B.NIZIPC as zip, DIGITS(B.NIPHA1) || DIGITS(B.NIPHP1) || DIGITS(B.NIPHN1) || DIGITS(B.NIPHX1) as phone, B.NICLID as membernumber, A.POLTYP as policytype, DIGITS(A.PMPLNR) as policynumber, A.PMPRFX as policyprefix, A.COMP#  as company, A.GROUP  as policygroup, A.PMSTAT as status, A.PMTEFFDTE as effdate, A.PMTEXPDTE as expdate, A.PMACCNDTE as candate, A.PMOEFFDTE as originaleffdate, A.PMNSRC as policyStateString, A.AGSUB# as agentNumber FROM CIPOMF A LEFT JOIN CINMAD B ON A.PMCLID = B.NICLID LEFT JOIN CINMAD C ON A.PMCLID = C.NICLID AND A.COMP# = C.NICONR AND A.PMPRFX = C.NIPRFX AND A.PMPLNR = C.NIPLNR WHERE A.AGGEN# = 'AGT' AND A.AGSUB# = '185436' AND B.NIRCTP IN('INS','IN2') AND B.NIDLMM = 0 AND C.NIRCTP = 'LOC' AND C.NIDLMM = 0 AND C.NIPLLC = (select max(d.nipllc) from cinmad d where a.pmclid = d.niclid and a.comp# = d.niconr and a.pmprfx = d.niprfx and a.pmplnr = d.niplnr and c.nirctp=d.nirctp and d.nidlmm=0)  and (      (A.PMSTAT = 'A' and DATE(A.PMTEXPDTE) >= DATE(CURRENT_TIMESTAMP)) or       (A.PMSTAT = 'C' and DATE(A.PMACCNDTE) >= DATE(CURRENT_TIMESTAMP))     )
              12:51:19,248 TRACE [SecurityRolesAssociation] Setting threadlocal:null
              12:51:19,248 TRACE [SecurityRolesAssociation] Setting threadlocal:null

               

              AFTER 60 seconds it does not seem to even attempt to access the cache.

               

              {quote}

              12:55:13,693 TRACE [SecurityRolesAssociation] Setting threadlocal:null
              12:55:13,737 TRACE [Hochheim] Begin isValid, principal:null, cache info: null
              12:55:13,737 TRACE [Hochheim] defaultLogin, principal=null
              12:55:13,737 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(Hochheim), size=12
              12:55:13,737 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(Hochheim), authInfo=AppConfigurationEntry[]:
              [0]
              LoginModule Class: com.hochheim.user.jboss.HochheimLoginModule
              ControlFlag: LoginModuleControlFlag: required
              Options:
              name=dsJndiName, value=java:/HochheimDS
              [1]
              LoginModule Class: org.jboss.security.ClientLoginModule
              ControlFlag: LoginModuleControlFlag: required
              Options:

              12:55:13,737 INFO  [HochheimLoginModule] Using java:/HochheimDS as our data source
              12:55:13,739 INFO  [HochheimLoginModule] Getting password for null
              12:55:13,739 INFO  [HochheimLoginModule] getUsersPassword query: SELECT * FROM hpfm_user WHERE username = ?
              12:55:13,780 TRACE [ClientLoginModule] Security domain: Hochheim
              12:55:13,782 TRACE [ClientLoginModule] Enabling restore-login-identity mode
              12:55:13,782 TRACE [ClientLoginModule] Begin login
              12:55:13,782 TRACE [ClientLoginModule] Obtained login: null, credential.class: null
              12:55:13,782 TRACE [ClientLoginModule] End login
              12:55:13,788 TRACE [ClientLoginModule] abort
              12:55:13,788 TRACE [Hochheim] Login failure
              javax.security.auth.login.FailedLoginException: Username does not exists
                   at com.hochheim.user.jboss.HochheimLoginModule.getUsersPassword(HochheimLoginModule.java:58)
                   at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:245)
                   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                   at java.lang.reflect.Method.invoke(Method.java:597)
                   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                   at java.security.AccessController.doPrivileged(Native Method)
                   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                   at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
                   at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
                   at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
                   at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
                   at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:87)
                   at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:164)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:421)
                   at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                   at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                   at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                   at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                   at org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:388)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:404)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:142)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:171)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                   at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                   at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                   at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                   at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                   at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                   at java.lang.Thread.run(Thread.java:637)
              12:55:14,042 TRACE [Hochheim] End isValid, false
              12:55:14,043 TRACE [LogAuditProvider] [Error]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=null;method=queryAS400PolicyApps;
              12:55:14,043 TRACE [LogAuditProvider] [Failure]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=null;method=queryAS400PolicyApps;
              12:55:14,043 DEBUG [ServletServerInvoker] Error thrown calling invoke on server invoker.
              javax.ejb.EJBAccessException: Invalid User
                   at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:165)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                   at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                   at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:421)
                   at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                   at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                   at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                   at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                   at org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:388)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:404)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:142)
                   at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:171)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                   at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                   at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                   at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                   at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                   at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                   at java.lang.Thread.run(Thread.java:637)
              12:55:14,169 TRACE [SecurityRolesAssociation] Setting threadlocal:null
              12:55:14,216 TRACE [SecurityRolesAssociation] Setting threadlocal:null

              {quote}

              • 4. Re: ejb3 via https (servlet-invoker) looses user credentials
                crussell42

                So with the above trace I looked for DefaultCacheTimeout setting for JassSecurityManager as per

                 

                http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configuration_Guide/The_JBoss_Security_Extension_Architecture-The_JaasSecurityManagerService_MBean.html

                 

                So I set my server/default/conf/jboss-server.xml JassSecurityManager configuration

                DefaultCacheTimeout (which was 1800 not 60) and even messed around with the

                DefaultCacheResolution and neither seemd to change the failed cache lookup of credentials..

                 

                Please ANY help appreciated.

                • 5. Re: ejb3 via https (servlet-invoker) looses user credentials
                  wolfc

                  Are you by any chance using a cached thread pool executor and not associating (and relinguishing) the security principal within the task itself?

                   

                  If so, the thread dies after 60 seconds idle time and the new thread will not have the same security context.

                  1 of 1 people found this helpful
                  • 6. Re: ejb3 via https (servlet-invoker) looses user credentials
                    crussell42

                    (Sorry, I dont really know) How do I tell.

                    Within the ejb I am not specifying anything like that (other than the @RemoteBinding invokerDestructionDelay=300000).

                    Wouldnt any invocation thread pool be created within the invoker?

                    How does the invokerDestructionDelay relate and how would one set the type of thread pool used?

                    In servlet-invoker-service.xml and in servlet-invoker.war/WEB-INF/web.xml I am also setting invokerDestructionDelay=300000

                     

                    Is there some config I have missed for generic Invoker threading model?

                    • 7. Re: ejb3 via https (servlet-invoker) looses user credentials
                      crussell42

                      Ok, I see what you are saying here.

                      On the client side I do use Executors.newCachedThreadPool() for executing my ejb calls from the client.

                      I'm not sure I can quite grasp why the Executor would have an associated Security Principal?

                      I had assumed that the SecurityClient maintained a thread local version of the credentials.

                       

                      Also,

                      In the main thread of the swing application, before the gui thread takes over I call a single method on the bean

                      to verify the credentials are valid e.g.

                      SecurityClient.setSimple(username,password)

                      SecurityClient.login();

                      https jndi lookup of bean;

                      User u = getUser(username);

                       

                      At this point the user is authenticated within the security realm and I am able to call follow on methods

                      such before control is turned over to gui.

                      All these calls would have been called on the "main" thread.

                      Then control is turned over to gui, at which point all invocations against the SLSB use a FutureTask and the

                      Executors.newCachedThreadPool().

                       

                      So we have already spanned at least 3 threads and the Credentials have remained intact.

                      So are you suggesting that only the newCachedThreadPool is the only instance where

                      loss or change of a thread would loose credentials?

                       

                      I will test this theory by placing a 90 sec delay in between 2 method calls in the main before

                      ThreadPools are even used and see what happens.

                      • 8. Re: ejb3 via https (servlet-invoker) looses user credentials
                        wolfc

                        The initial threads of the cached thread executor inherit the security context from the main thread. After 60 seconds of idle time the executor kills the threads and creates new ones when needed. These however are initiated outside the context of the main thread and thus no security context is available.

                         

                        The FutureTask itself should setup a security context, then you'll always have a correct security context available.

                        1 of 1 people found this helpful
                        • 9. Re: ejb3 via https (servlet-invoker) looses user credentials
                          crussell42

                          Ok, the 90 second delay on the main thread worked.

                          That is

                          ejb.doSomething()

                          Thread.sleep(100000)

                          ejb.doSomethingElse()

                          Works from within main().

                           

                          So what in the world am I missing about how credentials are maintained on the client side?

                          How are they passed around to new threads and why does the destruction of a thread

                          from the CachedThreadPool loose same?


                          Thanks for the great clue regardless.

                          Will persue the CachedThreadPool issue. Any suggestions welcome.

                          • 10. Re: ejb3 via https (servlet-invoker) looses user credentials
                            crussell42

                            {quote}

                            The FutureTask itself should setup a security context, then you'll always have a correct security context available.

                            {quote}

                             

                            Sorry for the silly question but how would one do that?

                            I guess I am a bit confused on exactly when the security context is set up?

                             

                            Is there some way to pull that from the SecurityClient?

                            Or do I need to re-initiate a jndi lookup for each FutureTask (seems brutally ineffecient)?

                            • 11. Re: ejb3 via https (servlet-invoker) looses user credentials
                              crussell42

                              Boy I feel goofy.

                              One quick solution is

                              {code}

                              SecurityClient.setVmwideAssociation(true);

                              {code}


                              This fixes it but is it the correct solution? Is this a security hazzard or

                              performance constraint or issue with multiple apps on same machine?

                              • 12. Re: ejb3 via https (servlet-invoker) looses user credentials
                                wolfc

                                It only poses a hazard if multiple users use the same VM.

                                 

                                In essence it proves that the problem is within the Executor. For multiple user environment a FutureTask must always setup a security context before calling out.

                                • 13. Re: ejb3 via https (servlet-invoker) looses user credentials
                                  crussell42

                                  Thanks for all the help.

                                   

                                  Still not entirely sure how one "associates" a security context with a thread.

                                   

                                  Within a FutureTask, how does one go get a security context and assocuate it with its-self?

                                   

                                  The VmwideAssociation works but I am sure this is valuable info for other newbies to the SecurityClient usage.

                                   

                                  Where typical FutureTask loosk something like this

                                   

                                    FutureTask<Object> future = new FutureTask<Object>(new Callable<Object>() {
                                          public Object call() {
                                              try {
                                                  return doActualWork();
                                              } catch (Exception e) {
                                                  e.printStackTrace();

                                            if ((e instanceof java.io.InvalidClassException)||
                                                (e instanceof java.rmi.MarshalException)||
                                                (e.getCause() instanceof java.io.InvalidClassException)||
                                                (e.getCause() instanceof java.rmi.MarshalException)) {
                                                //fail("MonitorableTask failed because there was a mismatch between the data returned from the server and the data expected.\nYou probably need to connect to Hochheim and download updates to correct this problem.\nIf it persists please contact support at Hochheim.");
                                                fail("An Agency Manager update is ready to be installed. Please connect to HPFM and reopen the Agency Manager to continue.");
                                                return(null);
                                            }

                                                  fail(e);
                                           
                                            logger.error("An exception was captured in MonitorableTaskImpl...Normally exceptions would be caught and fail already called in doActualWork. THis one slipped through the cracks and so SOMEONE should find out why.");

                                                  //set some sort of querryable status here I suppose.
                                              }
                                              return(null);
                                          }});