3 Replies Latest reply on Apr 12, 2013 2:02 PM by matlach

    EJB @Asynchronous security issue



      I've an ejb method "x" annotated with @Asynchronous and I've activated login module "RealmUsersRoles".

      Asyncronous Pool is set to 10.

      Method x is called from a jsf backing bean.

      User-A logs in and calls method x 9 times. GetCallerPrincipal always returns "User-A". Thread 1 to 9 will be used.

      User-B logs in and calls method x. EJB container assigns thread 10 and getCallerPrincipal returns "User-B".

      That's OK so far.

      Then User-B calls method x again. EJB container assigns thread 1 and getCallerPrincipal returns "User-A" (not "User-B")!!


      getCallerPrincipal() seams to store the user principal the first time the thread is used. In all subsequent calls the user principal isn't updated. The originally user principal is always used?!


      Any suggestions?