2 Replies Latest reply on Dec 31, 2014 11:42 PM by jaikiran pai

    Servlet 3.0 AsyncContext and EJB @RolesAllowed

    Antlia Antlia Newbie

      Hi to all,

       

      reading new Servlet 3.0 specifications, I found startAsynch method for HttpServletRequest, which claims to make things in asynchronous way propagating the right contextual information to the passed runnable.

       

      I wrote this code inside doGet method of my servlet:

       

      @EjB
      private EJBManager manager;
      
      protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {
           if(request.getUserPrincipal() != null && request.isUserInRole("admin"))
                //Method protected by @RolesAllowes("admin") annotation EJB-side
                manager.verify();
      
           final AsyncContext ctx = request.startAsync(request,response);
           ctx.start(new Runnable(){
                HttpServletRequest = (HttpServletRequest)ctx.getRequest();
                if(request.getUserPrincipal() != null && request.isUserInRole("admin"))
                     //Method protected by @RolesAllowes("admin") annotation EJB-side
                     manager.verify();
           });
      }
      
      
      
      

       

      When calling manager.verify() the first time, outside AsyncContext everything works fine, but when entering inside the Runnable in debug, i can see that, even the 'if' is succesfully passed (so the principal has been correctly propagated to the Runnable in AsyncContext), when calling the EJB method protected by the @RolesAllowed annotation, JBoss throws an exception saying that "The invocation of method verify" is not allowed.

       

      Can anyone help me?


      Platform: JBoss EAP 6.2.0


      EDIT: Same behavior in JBoss EAP 6.3.0

        • 1. Re: Servlet 3.0 AsyncContext and EJB @RolesAllowed
          Antlia Antlia Newbie

          I understand that JEE Specs report that:

          “Propagation of Security Identity in EJB™ Calls” on page 15-176 are available only to threads executing the initial request or when the request is dispatched to the container via the AsyncContext.dispatch method. Java Enterprise Edition features may be available to other threads operating directly on the response object via the AsyncContext.start(Runnable) method.

           

          But I cannot understand why I've a non-anonymous principal only in Servlet container and not in the EJB part.

          IMHO having a principal in a container (any container), should imply a non-anonymous principal in all the containers associated to the same security domain.

          • 2. Re: Servlet 3.0 AsyncContext and EJB @RolesAllowed
            jaikiran pai Master

            Can you please post the entire exception stacktrace? Also try enabling TRACE level logging of the org.jboss.security package and post those logs too.