1 Reply Latest reply on Sep 15, 2011 3:53 AM by Kirill Linnik

    JBoss 6.1 securityContext issues

    Kirill Linnik Newbie

      Hello there,

       

      We're implementing standard solution: login through credential provider. Algorithm is pretty easy:

      servlet get's credentials from other system, uses SecurityClient.login to log into DB and ask for corresponding credentials in our DB, and if it finds, do WebAuthentication.login and let's user surf our application.

       

      Things seems to be easy except one bug. It authenticates nicely (using DB and login-config.xml), but this method in JBoss security gives error:

         public Object run()

            {

               SecurityContext sc = getSecurityContext();

               if(sc == null)

                  throw new IllegalStateException("Security Context has not been set");

              

               sc.getUtil().createSubjectInfo(principal, credential, subject);

               //SecurityAssociation.pushSubjectContext(subject, principal, credential);

               credential = null;

               principal = null;

               subject = null;

               return null;

            }

      Yes, after user is authenticated (it means, security domain is initialized using login-config.xml and jboss-web.xml, DB query returns result and etc), security context is null and IllegalStateException thrown:

      2011-09-14 10:30:39,208 ERROR [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-2) Error during authenticate: java.lang.IllegalStateException: Security Context has not been set

              at org.jboss.web.tomcat.security.SecurityAssociationActions$SetPrincipalInfoAction.run(SecurityAssociationActions.java:70) [:6.1.0.Final]

              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_17]

              at org.jboss.web.tomcat.security.SecurityAssociationActions.setPrincipalInfo(SecurityAssociationActions.java:270) [:6.1.0.Final]

              at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:403) [:6.1.0.Final]

              at org.jboss.web.tomcat.security.login.WebAuthentication.login(WebAuthentication.java:93) [:6.1.0.Final]

          ...

      Actually this method is called from here and you can be sure that user is logged in by this moment:

      static void setPrincipalInfo(Principal principal, Object credential, Subject subject)

         {

            SetPrincipalInfoAction action = new SetPrincipalInfoAction(principal, credential, subject);

            AccessController.doPrivileged(action);

         }

      Question: what makes security context null or unaccessible for this class and how to avoid this situation?

       

      Thanks in advance,

      Kirill

        • 1. Re: JBoss 6.1 securityContext issues
          Kirill Linnik Newbie

          Actually we found this bug in SecurityClient. It's not a singleton as it seems to be. So if you SecurityClient in helper class, you should implement true singleton (smth like this):

          package ...;
          
          import org.jboss.security.client.SecurityClient;
          import org.jboss.security.client.SecurityClientFactory;
          
          public class ConnectionUtil {
          
            private static SecurityClient securityClient;
            
            protected static boolean connectToDB() {
              try {
                SecurityClient securityClient = getSecurityClient();
                securityClient.setSimple(..., ...);
                securityClient.login();
                return true;
              }
              catch (Exception e) {
                e.printStackTrace();
                return false;
              }
            }
          
            protected static void disconnectFromDB() {
              try {
                SecurityClient securityClient = getSecurityClient();
                securityClient.logout();
              }
              catch (Exception e) {
                e.printStackTrace();
              }
            }
            
            private static SecurityClient getSecurityClient() throws Exception{
              if ( securityClient == null ){
                securityClient = SecurityClientFactory.getSecurityClient();
              }
              return securityClient;
            }
          }

          In this case the same SecurityClient is on handle and no error occured.