3 Replies Latest reply on Nov 13, 2008 3:09 PM by alrubinger

    EJBContextImpl does not refresh the callerPrincipal

    sguilhen

      Current implementation of org.jboss.ejb3.EJBContextImpl caches the caller principal and never refreshes it again. As a result, getCallerPrincipal() keeps returning the same principal even if the client logs out and then logs back in with another identity.

      For example, consider the following session:

      @Stateless
      public class SimpleStatelessSessionBean implements SimpleSession
      {
      
       @Resource
       private SessionContext context;
      
       public Principal getCallerPrincipal()
       {
       return this.context.getCallerPrincipal();
       }
      }
      


      and this client code:

       login("UserA", "PassA"); // calls the LoginContext to authenticate the UserA
      
       Object obj = getInitialContext().lookup("SimpleStatelessSessionBean/remote");
       SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
      
       Principal principal = session.getCallerPrincipal();
       System.out.println("Principal: " + principal.getName()); // prints "Principal: UserA
      
       logout();
      
       // log back in with a different user
       login("UserB", "PassB");
       principal = session.getCallerPrincipal();
       System.out.println("Principal: " + principal.getName()); // prints "Principal: UserA"
      


      As we can see, the expected principal in the second call should be UserB, but we end up getting UserA because the EJBContextImpl has cached the previous principal and does not refresh it.

      When using EJB2x beans this situation doesn't happen because even though the EJBContextImpl caches the principal, there is an instance interceptor (like StatelessSessionInstanceInterceptor) that refreshes the context's principal with the identity it retrieves from the invocation. Thus, when a client switches to another identity, getCallerPrincipal() reflects the change.

      One way to fix the issue with the EJB3 beans would be to simply get rid of the beanPrincipal property that caches the caller principal and let the getCallerPrincipal() implementation invoke the SecurityContextAssociation to retrieve the updated principal.