0 Replies Latest reply on Sep 26, 2013 2:43 AM by giga

    SessionContext switches between former logged in users

    giga
    giga Sep 26, 2013 2:43 AM

      Hi there,

       

      i have a problem with user authentication in ejb layer.

       

      i am using Jboss 7.1.1 Final, but had the same problem with Jboss 5 and 6.

      I have a custom login module defined in the standalone.xml

       

      <security-domain name="ASAMOdsSecurityPolicy" cache-type="default">
     <authentication>
          <login-module code="vwg.audi.sensordb.login.AsamOdsLoginModule" flag="required">
               ...
          </login-module>
     </authentication>
</security-domain>

       

      And an implemenation of that login module with code extraction:

      public boolean login() throws LoginException {

    try {
        // fetch login credentials from callback handler
        Callback[] callbacks = new Callback[2];
        NameCallback nc = new NameCallback("Username");
        PasswordCallback pc = new PasswordCallback("Password", false);
        callbacks[0] = nc;
        callbacks[1] = pc;
        this.callbackHandler.handle(callbacks);

        userName = nc.getName();
        pw = new String(pc.getPassword());
        this.authenticateAndAuthorizeUser();

    } catch (Exception e) {
        throw new LoginException("Login: technical failure! " + e.getClass().getName() + ": " + e.getMessage());
    }

    return true;
}


public boolean commit() throws LoginException {

    Set<Principal> principals = this.subject.getPrincipals();

    userPrincipal = this.createPrincipal(this.userName);
    principals.add(userPrincipal);

    // add roles
    this.addRoles(principals, this.user.getRoles());

    // add user, he owns the permissions
    principals.add(this.user);

    return true;
}

       

      I have an EAR with a web and an ejb Project. In web layer, when i look up my subject ( via hhtpSession) everything works fine for me (i get the correct user credential and roles of the logged in user).

      But in business layer, when i call the session context (in this case called within an interceptor, which i am using for authorization)

       

      



@Resource



    private SessionContext context;

       

      context.getCallerPrincipal().getName()

       

      i get the user principal of any user who has logged in formerly:

      08:12:18,632 INFO  [stdout] (http--0.0.0.0-8080-6) sa
...
08:12:18,672 INFO  [stdout] (Thread-78) woehrlf
...
08:12:18,682 INFO  [stdout] (Thread-70) aggregateSB

       

      he only difference i see between the correct subject (in this case "sa") and the other ones is the thread of the system out (http--0.0.0.0-8080-6 vs Thread-XY).

       

      What am i doing wrong?

      Thanks a lot

       

      Best Regards,

      giga