4 Replies Latest reply on Oct 18, 2005 7:03 PM by dode

HTTP authentication sporadically fails

dode Oct 18, 2005 3:57 PM

Hello,

I have set up container managed security for a servlet in a webapp, using BASIC authentication. I am using the "jbossmq" security domain, which is configured as DatabaseServerLoginModule using a local MySQL database. So I am actually using JMS_USERS and JMS_ROLES for authentication. This is convenient, because the servlet is only doing JMS related tasks.

It all works fine, but when I "bomb" the servlet with HTTP POST requests from many concurrently running instances of a little test HTTP client, the authentication sporadically (for around 5 out of 1000 requests) fails in two ways:

- When there are many concurrent requests from the same user, I sometimes get a "HTTP status 403 Access to the requested resource has been denied".

- When there are many concurrent requests from different users, sometimes getUserInRole() in the servlet fails, even though I can see that there is a match between the remote user of that particular request and the role it is tested against.

I have set the org.apache log categrory to DEBUG and I can see, that checking the roles of a user sometimes fails:

2005-10-18 21:41:17,073 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[appuser1(SOMServlet,SOMapp1,guest,)]
2005-10-18 21:41:17,073 DEBUG [org.apache.catalina.realm.RealmBase] Username appuser1 has role SOMServlet
2005-10-18 21:41:17,075 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[appuser2(SOMServlet,SOMapp1,guest,)]
2005-10-18 21:41:17,075 DEBUG [org.apache.catalina.realm.RealmBase] Username appuser2 has role SOMServlet

appuser2 gets role SOMapp1, which is definetely wrong:

mysql> select * from JMS_ROLES;
+--------------+----------+
| ROLEID | USERID |
+--------------+----------+
| guest | appuser1 |
| SOMapp1 | appuser1 |
| SOMServlet | appuser1 |
| guest | appuser2 |
| SOMapp2 | appuser2 |
| SOMServlet | appuser2 |
| guest | guest |
| guest | servlet |
| SOMAllQueues | servlet |
+--------------+----------+

Does anybody know what the reason for this behaviour could be?

Thanks,
Torsten

1. Re: HTTP authentication sporadically fails

starksm64 Oct 18, 2005 6:28 PM (in response to dode)

Using what jboss version?
Actions
2. Re: HTTP authentication sporadically fails

dode Oct 18, 2005 6:48 PM (in response to dode)

Sorry, forgot to mention. It's 4.0.3 with JDK 1.5.0.

Torsten
Actions
3. Re: HTTP authentication sporadically fails

starksm64 Oct 18, 2005 6:53 PM (in response to dode)

Make sure you have the workaround for this bug enabled:
http://jira.jboss.com/jira/browse/JBAS-2357
Actions
4. Re: HTTP authentication sporadically fails

dode Oct 18, 2005 7:03 PM (in response to dode)

Thank you very much. Next time, I'll try to search better.

Torsten
Actions

Go to original post