0 Replies Latest reply on Dec 26, 2012 8:31 AM by memeslayer

Session id is being passed as Principal name

memeslayer Dec 26, 2012 8:31 AM

I am using Jboss negitiation 2.0.3 SP2 with Jboss 4.3.2 for spengo authentication and AdvancedLdapLoginModule for authorization.

It works fine, however my application calls another EJB application remotely. Remote EJB invocation fails with following exception:

com.filenet.apiimpl.transport.GetObjectResponse com.filenet.apiimpl.transport.ej
bstubs.Engine.getObjects(com.filenet.apiimpl.transport.ClientCallContext,com.fil
enet.apiimpl.transport.GetObjectRequest) throws java.rmi.RemoteException:
com.filenet.api.exception.EngineRuntimeException: E_OBJECT_NOT_FOUND: Requested
item not found. Principal 5E363D76A94D2B9AD10D655D17496858 not found.
        at com.filenet.engine.security.SecurityProvider.getUser(SecurityProvider
.java:688)
        at com.filenet.engine.jca.impl.RequestBrokerImpl.getUserName(RequestBrok
erImpl.java:1291)
        at com.filenet.engine.ejb.EngineCoreBean._getUserName(EngineCoreBean.jav
a:762)

Principal 5E363D76A94D2B9AD10D655D17496858 is the session id used in SPNEGO.

In local server I can see following output:

2012-12-26 08:03:10,869 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2012-12-26 08:03:10,869 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
          Principal: PCSVCFN@PA.LCL
          Principal: Roles(members(varioius roles)
          Principal: CallerPrincipal(members:PCSVCFN@PA.LCL)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@4c8b84{principal=5E363D76A94D2B9AD10D655D17496858,subject=6906800}

Principal name is right and that should be passed, but I am also confused at principal=5E363D76A94D2B9AD10D655D17496858 line, which seems to get passed.

To debug, I removed SPNEGO and put back normal FORM authentication, which works fine with Remote EJB. The comparable output posted above looks like:

2012-12-26 08:28:12,928 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2012-12-26 08:28:12,929 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: pcsvcfn
Principal: Roles(members: various roles)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@dcdf9c{principal=pcsvcfn,subject=29607531}

so the only difference I see is in last line in both cases. I am compiling negotiation library from sources and I tried to pop and push various SubjectContext or manualy set Principal in NegotiationAuthenticator, but that doesn't seem to help.

Any suggestions would be welcome. Thank you.