2 Replies Latest reply on Dec 5, 2001 4:36 AM by Konstantin

    Bug in Jbos 2.4.0 /Tomcat 3.2.1 integration ( Major one!!!!

    Konstantin Newbie

      Hi all,
      just discorvered major bug in security integration of jboss - <jsp:include> is bad for security.

      Short explanation:
      I have ejb method which needs caller principal

      ( ctx.getCallerPrincipal() )

      When I call bean from very start of jsp page,
      it gets correct principal.
      <%= SecurityAssociation.getPrincipal().toString() %>
      embedded into jsp also gives correct output.


      But after I issue <jsp:include> - principal in
      security association is reset to 0

      ( and JbossSecurityMgrRealm does this on puprose,
      I checked it )

      I think this comes from infamous jsp which serves
      includes as subrequests, thus fooling jboss
      into assumption that this request is done
      and he can reset any securoty association.


      I know that JSP suks, and will replace it in my project ASAP, but I what do I do meanwhile?

      Any suggestions?