2 Replies Latest reply on Apr 5, 2012 10:17 AM by Nicholas DiPiazza

    EJB2 ejb security no longer thread safe?

    Nicholas DiPiazza Novice

      I have an old application on JBoss 4.2.3.GA and it has been working beautifully for a long time.

       

      We decided to move to either JBoss AS6 or AS7 to get off this old software.

       

      Upon moving, we are experiencing what feels like a thread safety issue with EJB2 security.

       

      We have an EJB2 as follows:

       

      <session id="MyService">

             <ejb-name>MyService</ejb-name>

             <home>com.ndipiazza.MyServiceBeanHome</home>

             <remote>com.ndipiazza.MyServiceBean</remote>

             <ejb-class>com.ndipiazza.MyServiceBeanEJB</ejb-class>

             <session-type>Stateless</session-type>

             <transaction-type>Container</transaction-type>

             <security-role-ref>

                    <role-name>ndipiazzauser</role-name>

                    <role-link>ndipiazzauser</role-link>

             </security-role-ref>

      </session>

       

      com.ndipiazza.MyServiceBeanEJB has a method List getMessages() that our client side of the application uses to get messages.

       

      The client side of the application is a multi-threaded Java Daemon where each Thread represents a tenant stored in the database.  So a tenant in one thread should never see information from another thread.

      Each thread works like this:

      • Initialize
        • Authenticate the Thread with JBoss for this tenant using EJB security.
        • Stores the SecurityContext
      • Run forever ...
        • Query the EJB2 getMessages()
        • Perform alerts based on the messages.
        • Continue loop

       

      When the EJB2 getMessages function is called while 2 or more threads are running, Each thread will start seeing other threads' content ... demonstrating a race condition of some sort of going on.

       

      Note: No principal or string context or anything to identify the tenant is sent into EJB2. it is relying on the EJB session context established during the thread's one-time initialization to identify the correct tenant in the database calls done within the EJB.

       

      A very important piece of the puzzle: If we launch each client thread in its own JVM, the issue goes away. I do not know what that means, and it baffles the heck out of me.

       

      This worked great on JBoss 4.2.3.GA, but no longer works in JBoss AS6 or AS7. Why is this? Any ideas?