2 Replies Latest reply on Dec 31, 2014 11:42 PM by jaikiran

    Servlet 3.0 AsyncContext and EJB @RolesAllowed

    antlia
    antlia Nov 25, 2014 4:31 AM

      Hi to all,

       

      reading new Servlet 3.0 specifications, I found startAsynch method for HttpServletRequest, which claims to make things in asynchronous way propagating the right contextual information to the passed runnable.

       

      I wrote this code inside doGet method of my servlet:

       

      @EjB
private EJBManager manager;

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {
     if(request.getUserPrincipal() != null && request.isUserInRole("admin"))
          //Method protected by @RolesAllowes("admin") annotation EJB-side
          manager.verify();

     final AsyncContext ctx = request.startAsync(request,response);
     ctx.start(new Runnable(){
          HttpServletRequest = (HttpServletRequest)ctx.getRequest();
          if(request.getUserPrincipal() != null && request.isUserInRole("admin"))
               //Method protected by @RolesAllowes("admin") annotation EJB-side
               manager.verify();
     });
}

       

      When calling manager.verify() the first time, outside AsyncContext everything works fine, but when entering inside the Runnable in debug, i can see that, even the 'if' is succesfully passed (so the principal has been correctly propagated to the Runnable in AsyncContext), when calling the EJB method protected by the @RolesAllowed annotation, JBoss throws an exception saying that "The invocation of method verify" is not allowed.

       

      Can anyone help me?


      Platform: JBoss EAP 6.2.0


      EDIT: Same behavior in JBoss EAP 6.3.0

        • 1. Re: Servlet 3.0 AsyncContext and EJB @RolesAllowed
          antlia
          antlia Dec 16, 2014 3:57 AM (in response to antlia)

          I understand that JEE Specs report that:

          “Propagation of Security Identity in EJB™ Calls” on page 15-176 are available only to threads executing the initial request or when the request is dispatched to the container via the AsyncContext.dispatch method. Java Enterprise Edition features may be available to other threads operating directly on the response object via the AsyncContext.start(Runnable) method.

           

          But I cannot understand why I've a non-anonymous principal only in Servlet container and not in the EJB part.

          IMHO having a principal in a container (any container), should imply a non-anonymous principal in all the containers associated to the same security domain.

            • Actions
          • 2. Re: Servlet 3.0 AsyncContext and EJB @RolesAllowed
            jaikiran
            jaikiran Dec 31, 2014 11:42 PM (in response to antlia)

            Can you please post the entire exception stacktrace? Also try enabling TRACE level logging of the org.jboss.security package and post those logs too.

              • Actions