1 2 Previous Next 18 Replies Latest reply on Aug 15, 2011 8:10 AM by jean.baldessar Branched to a new discussion.

    Principal propagation from web to ejb

    jean.baldessar

      I'm migrating my application to JBoss 7 and there's something strange with the EJB authentication

      The authentication is performed by web tier with JAAS.

       

      The web application has a ajax button that calls a session bean method.

      The method is something like that:

       

      @Resource private SessionContext ctx;

          @Override

          public void testLoggedUser(){

              try {

                  System.out.println(ctx.getCallerPrincipal().getName());

              } catch (Exception e) {

                  System.out.println("nobody");

              }

          }

       

      Here is the output of a sequence of clicks in the button:

       

      17:16:08,912 INFO  [stdout] (http--127.0.0.1-80-4) jean

      17:16:09,120 INFO  [stdout] (http--127.0.0.1-80-2) nobody

      17:16:09,337 INFO  [stdout] (http--127.0.0.1-80-1) nobody

      17:16:09,546 INFO  [stdout] (http--127.0.0.1-80-3) nobody

      17:16:09,954 INFO  [stdout] (http--127.0.0.1-80-5) nobody

      17:16:10,164 INFO  [stdout] (http--127.0.0.1-80-6) nobody

      17:16:10,385 INFO  [stdout] (http--127.0.0.1-80-4) jean

      17:16:10,592 INFO  [stdout] (http--127.0.0.1-80-2) nobody

      17:16:10,799 INFO  [stdout] (http--127.0.0.1-80-1) nobody

      17:16:11,017 INFO  [stdout] (http--127.0.0.1-80-3) nobody

      17:16:11,233 INFO  [stdout] (http--127.0.0.1-80-5) nobody

      17:16:11,465 INFO  [stdout] (http--127.0.0.1-80-6) nobody

      17:16:11,857 INFO  [stdout] (http--127.0.0.1-80-4) jean

      17:16:12,287 INFO  [stdout] (http--127.0.0.1-80-2) nobody

      17:16:12,508 INFO  [stdout] (http--127.0.0.1-80-1) nobody

      17:16:12,688 INFO  [stdout] (http--127.0.0.1-80-3) nobody

      17:16:12,889 INFO  [stdout] (http--127.0.0.1-80-5) nobody

      17:16:13,117 INFO  [stdout] (http--127.0.0.1-80-6) nobody

      17:16:13,304 INFO  [stdout] (http--127.0.0.1-80-4) jean

       

      What the hell is happening here? It should always print 'jean'... don't?

      It seems that the authentication only works in one thread... should this be so?

      help please!

        • 1. Re: Principal propagation from web to ejb
          jaikiran

          Post the code which does the login. If it's container managed authentication then post the relevant configs.

          • 2. Re: Principal propagation from web to ejb
            jean.baldessar

            thanks for replying jaikiran pai.

             

            I'm using a simple form based container authentication with JBoss DatabaseServerLoginModule.

             

            The standanole looks like that:

            <security-domain name="myDomain">

                                <authentication>

                                    <login-module code="Database" flag="required">

                                        <module-option name="dsJndiName" value="java:/initium-ds1"/>

                                        <module-option name="principalsQuery" value="select password, login from asdusuario where login = ?"/>

                                        <module-option name="rolesQuery" value="SELECT 'admin' rolename, 'Roles' rolegroup from dual where ? is not null"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

             

            The war/web-inf/jboss-web.xml:

             

            <?xml version='1.0' encoding='UTF-8' ?>

            <!DOCTYPE jboss-web

                PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"

                "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

            <jboss-web>

               <security-domain>myDomain</security-domain>

            </jboss-web>

             

            The jar/meta-inf/jboss.xml:

             

            <?xml version='1.0' encoding='UTF-8' ?>

            <jboss>

               <security-domain>myDomain</security-domain>

            </jboss>

             

             

            Some idea?

            • 3. Re: Principal propagation from web to ejb
              jean.baldessar

              One more information:

              The same application works fine in JBoss 4.2.3.

               

              Anyone else tested this in JBoss 7?

              It only happens in my application?

               

              thanks

              • 4. Re: Principal propagation from web to ejb
                jean.baldessar

                If it helps:

                 

                I made some tests and the same problem happens using the UsersRolesLoginModule.

                It excludes my suspects that the problem was on the DatabaseServerLoginModule...

                 

                To me, it seems like a JBoss 7 bug, but it's too basic to that...

                I would like to know if somebody already did a similar test.

                 

                thanks

                • 5. Re: Principal propagation from web to ejb
                  jaikiran
                  1 of 1 people found this helpful
                  • 6. Re: Principal propagation from web to ejb
                    jean.baldessar

                    Hi jaikiran pai, thanks for replying.

                     

                    I've added the @org.jboss.ejb3.annotation.SecurityDomain annotation in my SSB and nothing changed.

                    I must have done something wrong.

                     

                    My SSB now looks like that:

                     

                    @Stateless

                    @SecurityDomain(value = "myDomain")

                    public class TesSSB implements ITestSSB{

                     

                    @Resource private SessionContext ctx;

                        @Override

                        public void testLoggedUser(){

                            try {

                                System.out.println(ctx.getCallerPrincipal().getName());

                            } catch (Exception e) {

                                System.out.println("nobody");

                            }

                        }

                    }

                     

                     

                    the output still the same...

                    • 7. Re: Principal propagation from web to ejb
                      jean.baldessar

                      it seems that the SecurityDomain doesn't affect my application. I put @DenyAll in the method but it still being executed. (with the same strange behaviour).

                      I must have done something wrong becouse it works for beckers.

                      Anyway, nobody misses the SessionContext.getCallerPrincipal() functionality?

                      • 8. Re: Principal propagation from web to ejb
                        jean.baldessar

                        jeikiran pai,

                         

                        I made a simple sample application to explain my problem and it worked.

                        Is seems that the problem its specific to my application.

                        I'll try to find the difference between my real application and the sample application.

                         

                        When I find the problem i'll post it for the community

                         

                        thanks for the help

                        • 9. Re: Principal propagation from web to ejb
                          jean.baldessar

                          I found the problem!

                           

                          I'm using JSF 1.2 and Richfaces 3.3.2.SR1.

                           

                          I have the Richfaces filter configured in web.xml:

                           

                          <filter>

                                  <display-name>RichFaces Filter</display-name>

                                  <filter-name>richfaces</filter-name>

                                  <filter-class>org.ajax4jsf.Filter</filter-class>

                              </filter>

                              <filter-mapping>

                                  <filter-name>richfaces</filter-name>

                                  <servlet-name>Faces Servlet</servlet-name>

                                  <dispatcher>REQUEST</dispatcher>

                                  <dispatcher>FORWARD</dispatcher>

                                  <dispatcher>INCLUDE</dispatcher>

                                  <dispatcher>ERROR</dispatcher>

                              </filter-mapping>

                           

                          removing the Richfaces filter everything works fine. (excluding the Richfaces itself).

                          Now I need to find a way to use Richfaces without this problem.

                           

                          Maybe a diferent version... some idea?

                          • 10. Re: Principal propagation from web to ejb
                            dlofthouse

                            Is there any chance of uploading an app somewhere with Richfaces enabled that can reproduce this?

                            • 11. Re: Principal propagation from web to ejb
                              jean.baldessar

                              Hi Darran Lofthouse, yes, I'll make one example and post here later.

                              • 12. Re: Principal propagation from web to ejb
                                jean.baldessar

                                Here is an application that show my problem.

                                 

                                To deploy it in JBoss 7 you just have to create a security domain called 'myDomain' with your user and login.

                                The source code its inside the EAR.

                                To see the erros, follow the steps:

                                 

                                * acess the url localhost:8080/sampleweb/index.jsf

                                * do the login

                                * click a lot in the ajax button (30 to 50 times)

                                * look at the console window

                                 

                                The behavior is realy weird, sometimes you start clicking and everything works fine, but if you continue clicking, at some point, the thread that run the request starts to change, and then you got the authentication problem. After the thread change for the first time, is starts to run every request in a diferent thread, and then you got the error in 80% of the requests (even clicking in the non ajax button).

                                 

                                After some tests, I'm not sure  anymore if the problem is realy with Richfaces, maybe it's a concurrent requests problem and the Richfaces just make possible to verify this. But as I said previously, removing the Richfaces filter everything seems to work fine. (excluding the Richfaces itself).

                                So, if you do that, the non ajax button will work fine, but the ajax button will stop working.

                                 

                                In my production application it happens without clicking a lot of times in an ajax button. It happens 90% of the time.

                                very strange and very unstable...

                                • 13. Re: Principal propagation from web to ejb
                                  dlofthouse

                                  Thank you for the deployment, I have now been able to reproduce this myself. 

                                   

                                  I am currently looking into the details but I do believe that this is showing a bug in AS7 - once I have the details clarified I will get the Jira issues raised and post them here.

                                  1 of 1 people found this helpful
                                  • 14. Re: Principal propagation from web to ejb
                                    jean.baldessar

                                    Thanks Darren,

                                    this is the only thing I need to migrate my application to AS7...

                                    Hope for good news

                                    1 2 Previous Next