0 Replies Latest reply on Sep 26, 2013 2:43 AM by Franz Wöhrl

    SessionContext switches between former logged in users

    Franz Wöhrl Newbie

      Hi there,


      i have a problem with user authentication in ejb layer.


      i am using Jboss 7.1.1 Final, but had the same problem with Jboss 5 and 6.

      I have a custom login module defined in the standalone.xml


      <security-domain name="ASAMOdsSecurityPolicy" cache-type="default">
                <login-module code="vwg.audi.sensordb.login.AsamOdsLoginModule" flag="required">


      And an implemenation of that login module with code extraction:

      public boolean login() throws LoginException {
          try {
              // fetch login credentials from callback handler
              Callback[] callbacks = new Callback[2];
              NameCallback nc = new NameCallback("Username");
              PasswordCallback pc = new PasswordCallback("Password", false);
              callbacks[0] = nc;
              callbacks[1] = pc;
              userName = nc.getName();
              pw = new String(pc.getPassword());
          } catch (Exception e) {
              throw new LoginException("Login: technical failure! " + e.getClass().getName() + ": " + e.getMessage());
          return true;
      public boolean commit() throws LoginException {
          Set<Principal> principals = this.subject.getPrincipals();
          userPrincipal = this.createPrincipal(this.userName);
          // add roles
          this.addRoles(principals, this.user.getRoles());
          // add user, he owns the permissions
          return true;


      I have an EAR with a web and an ejb Project. In web layer, when i look up my subject ( via hhtpSession) everything works fine for me (i get the correct user credential and roles of the logged in user).

      But in business layer, when i call the session context (in this case called within an interceptor, which i am using for authorization)


          private SessionContext context;




      i get the user principal of any user who has logged in formerly:

      08:12:18,632 INFO  [stdout] (http-- sa
      08:12:18,672 INFO  [stdout] (Thread-78) woehrlf
      08:12:18,682 INFO  [stdout] (Thread-70) aggregateSB


      he only difference i see between the correct subject (in this case "sa") and the other ones is the thread of the system out (http-- vs Thread-XY).


      What am i doing wrong?

      Thanks a lot


      Best Regards,