0 Replies Latest reply on Nov 7, 2001 4:39 PM by Sean McCullough

    identity crisis, roles diss/re-appear in same http request

    Sean McCullough Newbie

      I'm using JBoss-2.4.3_Tomcat-4.0. The application
      has both a web-application and some ejbs.

      The JSP includes several conditional blocks that
      check whether the user has the 'executive' or 'analyst'
      roles. In this case, the user is logged in as 'e', a
      user with the 'executive' role. He's logged into
      the web-app using FORM. I'm using org.jboss.security.auth.spi.UsersRolesLoginModule
      for name/pwd and role mapping.

      Within the same http session, this logged in user
      will sometimes have the 'executive' role, and sometimes
      he won't. You can literally sit there hitting refresh
      in the browser and watch different role-specific page elements appear and disappear with each request. The page should be the same every time since the roles
      don't change and he isn't logging in/out.

      Example from the log file, tracing a single http request:
      (notice how e is authorized on one line, and later
      requiredRoles=[executive] fails.)

      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[analyst]
      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[analyst]
      [JBossSecurityMgrRealm] User: e is authorized
      [EmbeddedCatalinaServiceSX] jsp: init
      [EmbeddedCatalinaServiceSX] /webtop: 1692ms
      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[analyst]
      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[analyst]
      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[executive]
      [JBossSecurityMgrRealm] User: e is NOT authorized, requiredRoles=[analyst]
      [EmbeddedCatalinaServiceSX] /webtop: 511ms

      from conf/catalina/auth.conf:
      ------------------------------------------
      myapp {
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      unauthenticatedIdentity="nobody";
      };
      ------------------------------------------

      from jboss-web.xml:
      ------------------------------------------
      <security-domain>java:/jaas/myapp</security-domain>
      ------------------------------------------

      from jboss.jcml:
      ------------------------------------------

      org.jboss.security.plugins.JaasSecurityManager
      srp/SRPAuthenticationCache

      ------------------------------------------

      from users.properties:
      ------------------------------------------
      e=pw
      a=pw
      ------------------------------------------

      from roles.properties:
      ------------------------------------------
      e=executive
      a=analyst
      ------------------------------------------

      Does anyone else run into this, or have any idea why
      I'm running into it?

      -Sean