0 Replies Latest reply on Sep 26, 2013 2:43 AM by Franz Wöhrl

    SessionContext switches between former logged in users

    Franz Wöhrl Newbie

      Hi there,

       

      i have a problem with user authentication in ejb layer.

       

      i am using Jboss 7.1.1 Final, but had the same problem with Jboss 5 and 6.

      I have a custom login module defined in the standalone.xml

       

      <security-domain name="ASAMOdsSecurityPolicy" cache-type="default">
           <authentication>
                <login-module code="vwg.audi.sensordb.login.AsamOdsLoginModule" flag="required">
                     ...
                </login-module>
           </authentication>
      </security-domain>
      
      

       

      And an implemenation of that login module with code extraction:

      public boolean login() throws LoginException {
      
          try {
              // fetch login credentials from callback handler
              Callback[] callbacks = new Callback[2];
              NameCallback nc = new NameCallback("Username");
              PasswordCallback pc = new PasswordCallback("Password", false);
              callbacks[0] = nc;
              callbacks[1] = pc;
              this.callbackHandler.handle(callbacks);
      
              userName = nc.getName();
              pw = new String(pc.getPassword());
              this.authenticateAndAuthorizeUser();
      
          } catch (Exception e) {
              throw new LoginException("Login: technical failure! " + e.getClass().getName() + ": " + e.getMessage());
          }
      
          return true;
      }
      
      
      public boolean commit() throws LoginException {
      
          Set<Principal> principals = this.subject.getPrincipals();
      
          userPrincipal = this.createPrincipal(this.userName);
          principals.add(userPrincipal);
      
          // add roles
          this.addRoles(principals, this.user.getRoles());
      
          // add user, he owns the permissions
          principals.add(this.user);
      
          return true;
      }
      
      
      
      
      
      
      
      
      
      
      
      
      
      

       

      I have an EAR with a web and an ejb Project. In web layer, when i look up my subject ( via hhtpSession) everything works fine for me (i get the correct user credential and roles of the logged in user).

      But in business layer, when i call the session context (in this case called within an interceptor, which i am using for authorization)

       

      
      
      
      
      @Resource
      
      
      
          private SessionContext context;
      
      

       

      context.getCallerPrincipal().getName()
      
      

       

      i get the user principal of any user who has logged in formerly:

      08:12:18,632 INFO  [stdout] (http--0.0.0.0-8080-6) sa
      ...
      08:12:18,672 INFO  [stdout] (Thread-78) woehrlf
      ...
      08:12:18,682 INFO  [stdout] (Thread-70) aggregateSB
      
      

       

      he only difference i see between the correct subject (in this case "sa") and the other ones is the thread of the system out (http--0.0.0.0-8080-6 vs Thread-XY).

       

      What am i doing wrong?

      Thanks a lot

       

      Best Regards,

      giga