1 Reply Latest reply: Dec 16, 2010 10:17 AM by Sergiu Pienar RSS

    ConcurrentModificationException from the security manager

    Jeff Mesnil Master

      Hi,

       

      I'm helping to integrate HornetQ into AS 6 and when I run the TCK tests, I have failures caused by a ConcurrentModificationException in JBoss SimpleRoleGroup:

       

       

       

       

      16:58:24,449 ERROR [org.hornetq.core.protocol.core.ServerSessionPacketHandler] Caught unexpected exception: java.util.ConcurrentModificationException
      at java.util.AbstractList$Itr.checkForComodification(AbstractList.java:372)
      at java.util.AbstractList$Itr.next(AbstractList.java:343)
      at org.jboss.security.identity.plugins.SimpleRoleGroup.containsRole(SimpleRoleGroup.java:181)
      at org.jboss.security.plugins.JBossAuthorizationManager.doesRoleGroupHaveRole(JBossAuthorizationManager.java:254)
      at org.jboss.security.plugins.JBossAuthorizationManager.doesUserHaveRole(JBossAuthorizationManager.java:194)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.doesUserHaveRole(JaasSecurityManagerBase.java:434)
      at org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole(JaasSecurityManager.java:195)
      at org.hornetq.integration.jboss.security.JBossASSecurityManager.validateUserAndRole(JBossASSecurityManager.java:110)
      at org.hornetq.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:172)
      HornetQ code just delegates to JBoss JaasSecurityManager:

               authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);

       

       

      This exception happens when HornetQ checks if a MDB has the right to create a JMS Consumer.
      Just before the exception occurs, I have a warning:
      16:58:23,202 WARN  [org.jboss.ejb.EjbModule] EJB configured to bypass security. Please verify if this is intended. Bean=MDB_QUEUETXNS_CMT Deployment=vfs:///Users/jmesnil/Desktop/as/trunk/build/target/jboss-6.0.0-SNAPSHOT/server/cts/tmp/jsr88/mdb_msg.ear/mdb_msg_ejb.jar/
      and the MDB has the following configuration:
              <as-context>
                <auth-method>username_password</auth-method>
                <realm>default</realm>
                <required>false</required>
              </as-context>
      Is it valid to call JaasSecurityManager.doesUserHaveRole when the EJB bypasses security. And if it is not, how can I check it from the RealMapping or the AuthenticationManager?
      thanks,
      jeff