That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials.

I think this behaviour is only seen in case of servlets as clients and not in the case of standalone java cleints as it seems that the once u call the LoginContext.login() then it is associating the principal and credential to every call made from this client...

But in the servlets or JSP's case its not and it is passing null, null in subsequent requests. So tha only solution is calling the logincontext.login() method on every request or did any one find a better solution.

My problem is i have many JSP's and from there i access JavaBeans directly and these Java Beans directly interact with the Session Beans.

And i hope you know the problem for every request if i have to assing the LoginContext ....it seems my future is dark ....it would be very nice if any one can suggest me a better solution which can be done without much code change.

regards
jani

Use a servlet filter or tomcat valve then.

HI All,

Thanks scott, i used a filter to do this but i am not sure how to do it with a tomcat valve any way the filter looks like this

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
 throws IOException, ServletException
 try
 {
 WorkServerWebEJBServiceLocator.getInstance().performLogin();
 chain.doFilter(request, response);
 }
 catch (ServiceLocatorException aException)
 {
 cCat.error("WorkServerWebEJBServiceLocator Login error.");
 cCat.debug("WorkServerWebEJBServiceLocator Login error.", aException);
 }
 finally
 {
 try
 {
 WorkServerWebEJBServiceLocator.getInstance().performLogout();
 }
 catch (ServiceLocatorException aException)
 {
 cCat.error("WorkServerWebEJBServiceLocator Logout error.");
 cCat.debug("WorkServerWebEJBServiceLocator Logout error.", aException);
 }
 }

 try
 {
 UsernamePasswordHandler tHandler = new UsernamePasswordHandler(iUserName,
 iPassword.toCharArray());
 iLoginContext = new LoginContext("client-login", tHandler);
 iLoginContext.login();
 cCat.info("Login With :" + iUserName + ":" + iPassword);
 }
 catch (LoginException aException)
 {
 cCat.error("Could not login for the LoginContext.");
 }

<< That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials. >>

Will this continue to be the same sort of behavior with 3.2.4? Thanks..

hi ,

     I have checked you data , the thing is  even i have same issue that with every request i need to call again  login method logincontext ,

other than filter how we  can d. If you have any solution for it please let me know . It's urgent  ...

Thanx...