The issue is that if I have authorized user that calls some object and this object is created with this users principals, other not authorized user can obtain this
object from pool with authorized users principals.
I runned in to this when I was doing some unit tests.
My junitee test class doesn't support authorization and
if I run it before I run authorized client it tells me that my user is not in role. But if I run this authorized
user for few times and it creates some pool of objects
then later this junitee class can access my secure bean without any problems. This two client applications are running in separate tomcat containers and one has basic authentication and the other one doesn't have any.
I don't think this should be like this. In my opinion
container should check each users roles before it takes
object from pool.
Does any of you have some experience with this case?