6 Replies Latest reply on Mar 31, 2011 4:20 PM by Mario Bislick

    Problem keeping a user logged between threads

    Mario Bislick Newbie

      Hey everyone! First of all I am new using JBoss and wasn't sure if this was the right place where to put my qustion so I apologize if it wasn't.

       

      I have an application that is autheticating using JAAS against a database, the queries are fine and it actually authenticates the user using a setSimple(userLogin, pwd). The client has its domain defined and some of the class functions can only be accessed if the user has the appropiate roles. The problem is that once I authenticate the user in the main thread, it seems like if i have to authenticate again in each of the child threads of the client, calling it the function I use to authenticate  with a null user and a null pasword (thus throwing an exception)

       

      I think that theres gotta be someway for the server/client to remember that the user is actually authenticated so it wont be authenticated more than once in each thread of the application. Is that actually paussible? Or how do I prevent the server/client from doing it after I authenticated the user the first time?

       

      There is no logout call in the code other than the one I use if the (userLogin, pwd) combination is invalid.

       

      Hope anyone can help me with this.

       

      Thanks.

        • 1. Problem keeping a user logged between threads
          Wolfgang Knauf Master

          Hi,

           

          take a look at this thread: http://community.jboss.org/thread/43907

           

          Which JBoss version do you use?

           

          Hope this helps

           

          Wolfgang

          • 2. Re: Problem keeping a user logged between threads
            Mario Bislick Newbie

            Hi Wolfgang, and thanks for your reply.

             

            I'm using JBoss 5.1.0.GA and I just read the thread you linked and I think we have the same issue. I modified the code to use the .setClient() but it didnt work. Here is a snippet of the code I use to do the login:

             

             

                  SecurityClient securedClient = null;

                  try {

                       SecurityContextAssociation.setClient();

                       securedClient = SecurityClientFactory.getSecurityClient();

                       securedClient.setSimple(userLogin, password);

                       securedClient.login();

                  } catch (Exception e) {

                       securedClient.logout();

                  }

             

             

            Also, I'm trying to configure this:   

                 org.jboss.security.ClientLoginModule required

                 multi-threaded=false;

             

            But I cant find where should I do that.

            • 3. Problem keeping a user logged between threads
              Wolfgang Knauf Master

              Hi,

               

              the "multi-threaded=false" fragment needs to be places in a file "auth.conf", and thus you have to use a JAAS login instead of "simple" login. See the security FAQ at http://community.jboss.org/wiki/SecurityFAQ - the answers for question 10 shows you the first steps of performing a JAAS login. If there are more questions left, feel free to ask. Unfortunately, I did not find an english website which explains this in detail.

               

              Alternative: did you try to set the system property "org.jboss.security.context.ThreadLocal=false", as described in https://issues.jboss.org/browse/SECURITY-415

               

              Best regards

               

              Wolfgang

              • 4. Re: Problem keeping a user logged between threads
                Mario Bislick Newbie

                Hello again!

                 

                 

                I used the SecurityContextAssociation.setClient(); before I call SecurityClientFactory.getSecurityClient(); and had no luck, then I created an auth.conf file and put it into my resources and it didnt seem to work either. Dunno if I have to do anything else other than just creating the file.

                 

                Inside the auth.conf is:

                 

                jmx-console {

                    org.jboss.security.ClientLoginModule required;

                    multi-threaded=false;

                };

                 

                 

                 

                EDIT: I haven't tried yet the JAAS login you suggested above

                • 5. Re: Problem keeping a user logged between threads
                  Mario Bislick Newbie

                  Hi again,

                   

                  I tried to use the JAAS login but I get an exception and it won't even login now... It seems like if it isn't recognizing the security domain I specify as the first parameter 'cuz it throws and execption when I initialize the LoginContext Object.

                   

                  I did set the system property "org.jboss.security.context.ThreadLocal=false" with System.setProperty("org.jboss.security.context.ThreadLocal", "false"); but the problem is still there.

                  • 6. Re: Problem keeping a user logged between threads
                    Mario Bislick Newbie

                    Well I finally tried the JAAS login with the suggested auth.conf and still have the same problem: I can login in the main thread but the authentitation is ost in its children threads.

                     

                    Here is the code that does the login:

                     

                         System.setProperty("java.security.auth.login.config","conf/auth.conf");

                         System.setProperty("org.jboss.security.context.ThreadLocal", "false");

                          SecurityAssociationHandler handler = new SecurityAssociationHandler();

                                                                SimplePrincipal userJAAS = new SimplePrincipal(user);

                                                                handler.setSecurityInfo(userJAAS, password);

                                                                LoginContext loginContext =

                                                                 new LoginContext("jmx-console",

                                                                              (CallbackHandler) handler);

                    //                                            SecurityContextAssociation.setClient();

                                                                loginContext.login();

                     

                     

                    I really dunno what is wrong since apparently everything is "fine", I really appreciate any help or guidance anyone could give.

                     

                    Thanks in advance.