0 Replies Latest reply on Dec 19, 2005 5:05 PM by a b

    Unauthenticated Access to SessionBean (EJB3)

    a b Newbie

      I define a session bean like so:

      @Stateless
      @SecurityDomain("MySecDomain")
      public class EchoBean implements EchoRemote
      {
       // lots of stuff
      }
      

      I have configured the security domain MySecDomain as "simple property file"-domain in login-config.xml.

      Next I run a client looking up the bean like this:
      Properties env = new Properties();
       env.setProperty(Context.SECURITY_PRINCIPAL, "peter");
       env.setProperty(Context.SECURITY_CREDENTIALS, "spiderman");
       env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
       InitialContext ctx = new InitialContext(env);
      
       EchoRemote echo = (EchoRemote) ctx.lookup(EchoRemote.class.getName());
      
       // do funky things with the bean
      


      If I try to authenticate with wrong credentials, I get a SecurityException and everything's fine...

      BUT if I run the client once authenticating successfully, let it end modify the code so it looks like this...

      InitialContext ctx = new InitialContext();
       EchoRemote echo = (EchoRemote) ctx.lookup(EchoRemote.class.getName());
      
       // do funky things with the bean
      

      ...I suddenly have unauthenticated access to the bean!

      Waiting a while and trying to run the client again some minutes later results in the expected SecurityException.

      What's wrong? Did I miss something?

      Thanks for reading and even more for help or explanations ;-)

      Kind regards
      Martin