I'm working with JAAS and I have the following problem.
I have two MBean started. Each of them starts the thread running in the loop (T1 and T2). One of them connects to remote server A and the second to server B. Each server uses JAAS as a security manager with DatabaseServerLoginModule.
I have made a test which proofs that both threads can work with only one LoginContext with login() method called before the first call to any EJB.
The login() method sets security associations, so there is possibility that when each thread created its own LoginContext and calls login() method, we don't know with what security associations the EJB is called by any of the thread.
Let's assume that each thread creates its own LoginContext with different username in callback object and then calls EJB on remote server (username used in T1 exists only on server A and the one used in T2 exists only on server B). In addition there is no synchronization between both threads, so we don't know if EJB from remote server A is called by T1 before T2 calls login() method of after.
If before, there is no problem. if after the username is taken from T2 and he doesn't exist on server A, so login fails.
How to avoid this problem and be sure that security associations are properly set before calling EJB??
Maybe it is possible to create two LoginContexts for each thread (doubtful for me)?