0 Replies Latest reply on Dec 26, 2012 8:31 AM by meme slayer

    Session id is being passed as Principal name

    meme slayer Newbie

      I am using Jboss negitiation 2.0.3 SP2 with Jboss 4.3.2 for spengo authentication and  AdvancedLdapLoginModule for authorization.


      It works fine, however my application calls another EJB application remotely. Remote EJB invocation fails with following exception:



      com.filenet.apiimpl.transport.GetObjectResponse com.filenet.apiimpl.transport.ej
      enet.apiimpl.transport.GetObjectRequest) throws java.rmi.RemoteException:
      com.filenet.api.exception.EngineRuntimeException: E_OBJECT_NOT_FOUND: Requested
      item not found. Principal 5E363D76A94D2B9AD10D655D17496858 not found.
              at com.filenet.engine.security.SecurityProvider.getUser(SecurityProvider
              at com.filenet.engine.jca.impl.RequestBrokerImpl.getUserName(RequestBrok
              at com.filenet.engine.ejb.EngineCoreBean._getUserName(EngineCoreBean.jav



      Principal 5E363D76A94D2B9AD10D655D17496858 is the session id used in SPNEGO.


      In local server I can see following output:



      2012-12-26 08:03:10,869 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache

      2012-12-26 08:03:10,869 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:

                Principal: PCSVCFN@PA.LCL

                Principal: Roles(members(varioius roles)

                Principal: CallerPrincipal(members:PCSVCFN@PA.LCL)

      , sc=org.jboss.security.SecurityAssociation$SubjectContext@4c8b84{principal=5E363D76A94D2B9AD10D655D17496858,subject=6906800}



      Principal name is right and that should be passed, but I am also confused at principal=5E363D76A94D2B9AD10D655D17496858 line, which seems to get passed.


      To debug, I removed SPNEGO and put back normal FORM authentication, which works fine with Remote EJB. The comparable output posted above looks like:


      2012-12-26 08:28:12,928 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache

      2012-12-26 08:28:12,929 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:

                Principal: pcsvcfn

                Principal: Roles(members: various roles)

      , sc=org.jboss.security.SecurityAssociation$SubjectContext@dcdf9c{principal=pcsvcfn,subject=29607531}


      so the only difference I see is in last line in both cases. I am compiling negotiation library from sources and I tried to pop and push various SubjectContext or manualy set Principal in NegotiationAuthenticator, but that doesn't seem to help.


      Any suggestions would be welcome. Thank you.