3 Replies Latest reply on Jun 11, 2010 4:03 AM by hugbert

    authentication problem with EJB, wrong credentials taken for call

    hugbert

      Hi,

      I have a problem with ejb (2.0) in JBoss 5.1.

      Sometimes  the EJB is called with the credentials of a user that recently logged  in instead of the ones it should have, null/null for username/password.

      I  never had this problem with JBoss 4.2, but now often with 5.1.

       

      From  a MBean I instantiate an EJB and call an method with unchecked  permission every 3 minutes.

      In jboss.xml I have set

       

               <security-identity>
                       <run-as-principal>system</run-as-principal>
                   </security-identity>

       

       

      and in my LoginModule I have

      myopts.put("unauthenticatedIdentity", "system");

       

      I  even tried to explicitly log in from the MBean, but this did not help.

       

      private LoginContext loginAsSystem() throws  LoginException {
          LoginContext lc = null;
          try {
             AppCallbackHandler callbackHandler = new AppCallbackHandler(null, null);
             lc = new LoginContext("MyRealm",callbackHandler); // the realm of the  EJB
            lc.login();
          } catch (LoginException e) {
             throw (e);
          }
          return lc;
        }

       

       

      While debugging this, I saw in  org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome that

      SecurityActions sa = SecurityActions.UTIL.getSecurityActions();

      returns the credentials of a recently logged in user instead of  null/null

      All calls are made with the context of the wrong principal  instead of principal "system".

       

      What is going on  here, I don't see that I am doing something wrong.

      Can anybody  please help?

       

      Thank you

      Hubert

       

      p.s.

      I use Liferay with JAAS enabled to authenticate against my LoginModule()

        • 1. Re: authentication problem with EJB, wrong credentials taken for call
          jaikiran

          Perhaps logout() is not being called? Could you try to call the logout() method from your test code which is using JAAS to login? I know that you mentioned it's just for testing, but that would give an idea about what might be wrong.

          • 2. Re: authentication problem with EJB, wrong credentials taken for call
            hugbert

            Hi Jaikiran,

            Do you mean to logout from my MBean which does the EJB call?

            I do this allready, I do the following:

               1. login

               2. instantiate the EJB

               3. call the method

               4. logout

               5. set EJB to null

            It works for a time, after starting the app the MBean calls the EJB method allways with the correct principal. Maybe the error does not happen for a long time.

            But suddenly it starts failing and always uses the credentials from another user.

            I have some questions and would be glad if you could answer some of them:

             

            Is there another way to force the EJB call to use a certain idendity?

            Do you have a debug hint withit I can check what's going on?

            Is my test login call the correct way to force an unauthenticated identity?

            Would pushRunAsIdentity() help me?

            Are there known situations, where an app running in JBoss can manage it that the container takes the wrong principal/credentials?

            Thank you very much

            Hubert

             

            P.S.

            as long as nobody logs in every thing works, but if a user logs in, the MBean suddenly runs with credentials of that user. If that user logs out, the MBean still tries to use the credentials but then authentication fails.

            • 3. Re: authentication problem with EJB, wrong credentials taken for call
              hugbert

              pushRunAsIdentity()/popRunAsIdendity() solved my problem, respectively made the problem go away.

               

              I do not really understand, why my MBean picked up the idendity of another user but it stopped doing this when I used pushRunAsIdendity.

               

              Hubert