4 Replies Latest reply on Feb 12, 2004 3:01 PM by Scott Stark

    Security, multi-user environment

    Alexey Pismenskiy Newbie

      My question is similar to BrianZ. He wrote:
      -----------------
      We are using SessionContext/EntityContext to get the user name for updating the db. The problem is the last user who logged in is always set for all others in a multi-user environment. Pojos were written in order to isolate the issue, but the problem did not occur. Any suggestions?
      -----------------
      starksm anwered:
      -----------------
      don't understand what your asking with regard to getCallerPrincipal(). This is the identity of the caller on the current invocation. In a multi-user environment it can change on every call. What is the relationship between the caller of an ejb and the db?
      -----------------

      I try to emulate multi-user environment with a following code:

      // User1 has admin privilegues
      AppCallbackHandler handler1 = new AppCallbackHandler(UserData.ADMIN_LOGIN, UserData.ADMIN_PASSWORD);
      LoginContext lc1 = new LoginContext("other", handler1);
      lc1.login();
      Subject subj1 = lc1.getSubject();
      Context context1 = new InitialContext();
      Object ref1 = context1.lookup("MySessionFacade");
      MySessionFacadeHome facadeHome1 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref1, MySessionFacadeHome.class);
      MySessionFacade facade1 = facadeHome1.create();
      facade1.method();

      // In server method() I put following line
      // log.debug("Principal is " + this.sessionContext.getCallerPrincipal ().getName());
      // At this time it will output >>>> Principal is admin

      // User 2 has a guest privilgues
      AppCallbackHandler handler2 = new AppCallbackHandler(UserData.GUEST_LOGIN, UserData.GUEST_PASSWORD);
      LoginContext lc2 = new LoginContext("other", handler2);
      lc2.login();
      Subject subj2 = lc2.getSubject();
      Context context2 = new InitialContext();
      Object ref2 = context2.lookup("MySessionFacade");
      MySessionFacadeHome facadeHome2 = (MySessionFacadeHome) PortableRemoteObject.narrow(ref2, MySessionFacadeHome.class);
      MySessionFacade facade2 = facadeHome2.create();

      facade2.method();
      // At this time it will output >>>> Principal is guest

      //****

      // Call facade1 again ....
      facade1.method();
      // At this time it will output >>>> Principal is guest

      What code should I put to line marked //**** for call facade1.method();
      whith admin role?
      As I can see from starksm answer I must relogin before EACH method() call?
      Probably this situation taking place in servlets/jsp, which lives in same JVM.

        • 1. Re: Security, multi-user environment
          Scott Stark Master

          Yes, the caller identity must be established before each call, so if you keep switching identies you have to keep logging in as the new caller.

          • 2. Re: Security, multi-user environment
            Alexey Pismenskiy Newbie

            Thanks for your help. Situation becomes clear.
            But now I don't understand where login procedures should be placed.
            I use Tomcat/Jboss and restrict access to EJB by specifying security domain, configuring ejb-jar.xml etc...
            My assumption is to put login procedures code to BusinessDelegate class and call it before each remote method invokes.
            Is it right? What do you advise?

            • 3. Re: Security, multi-user environment
              Alexey Pismenskiy Newbie

              And last question. Imagine a following code fragment, which is used by client:

              public class MyBusinessDelegate {
              MySessionFacadeHome facadeHome;
              MySessionFacade facade;
              String user_name;
              String user_pass;
              private void MyBusinessDelegate() {
              // All required actions for correct initialization facadeHome and facade as described
              }
              public void login() {
              // All required actions to login as described above discussion
              }

              public void method() {
              facade.method();
              }

              }

              In multi-user, multi-thread environment (servlet):
              1) User A creates a new instance of MyBusinessDelegate class;
              MyBusinessDelegate InstA = new MyBusinessDelegate();
              2) User B creates a new instance of MyBusinessDelegate class;
              MyBusinessDelegate InstB = new MyBusinessDelegate();
              3) User A call login();
              4) User B call login();
              5) User A call method();
              In step 5 User A call method() as user B.

              Does it mean than login() and method() should be syncronized?
              Any ideas?




              • 4. Re: Security, multi-user environment
                Scott Stark Master

                No, provided you use the ClientLoginModule in multi-threaded mode the security association is specific to a thread.