3 Replies Latest reply on Oct 29, 2013 8:29 AM by sowa

    Unexpected switching of users

    sowa
    sowa Oct 27, 2013 4:40 PM

      Hi,

       

      I've got strange problem:


      Web app is running on eap 5.1 together with ejb 2.x.

      I've got also java client connecting to ejb using org.jboss.security.jndi.JndiLoginInitialContextFactory.

       

      Web app is working fine until I run java client (which using credentials from some prop file).

       

      Web app is using some additional authorization stuff (let's call it rights checker)  which in fact is checking roles from SecurityAssociation.getSubject object.

      Problem is that after running java client web app is calling rights checker which is getting bad principal name (instead of web username it gets username used by java client) and in addition subject object is null).

      Problem seems to be quite random, I mean I'm not able to get it always after running java client. Sometimes I need to run java client couple of times.

      But when I meet this situation and refresh page using F5 I'm able to get correct one principal name and subject is not null.

       

      So some conclusion:

      User is using web app then he is starting manually java client in background then after java client finish user is trying to use web browser and he meet problem. Then he is pressing refresh button and app is again working correctly. But he can tries to press refresh many times and he meet problem many times (it is random).

       

      Any ideas?

       

      • 128 Views
      • Tags:
        • 1. Re: Unexpected switching of users
          ctomc
          ctomc Oct 27, 2013 5:01 PM (in response to sowa)

          Hey,

           

          this forum is mostly meant for EAP6.1 and up.

          For 5.1 you could try over at AS < 7 forums JBoss AS or contact Red Hat support.

           

          --

          tomaz

            • Actions
          • 2. Re: Unexpected switching of users
            wdfink
            wdfink Oct 28, 2013 6:12 AM (in response to sowa)

            I've moved your question to the JBossAS forum.

            As Tomaz mentioned you might use the Red Hat support portal if you have a EAP version with an active subscription.

              • Actions
            • 3. Re: Unexpected switching of users
              sowa
              sowa Oct 29, 2013 8:29 AM (in response to sowa)

              I've done some debug and:

              - for case when application is returning bad user info I noticed that inside  SecurityAssociation.getPrincipal() method there is getting security context:

              SecurityContext sc = SecurityContextAssociation.getSecurityContext();

              And securityDomain property of sc object has CLIENT_LOGIN_MODULE value.

               

              - for case when application is returning correct user info securityDomain property is set to correct value ('internal' in my case - the same value is defined in jboss.xml (<security-domain>java:/jaas/internal</security-domain>) for all ejb apps).

                • Actions