2 Replies Latest reply on Dec 5, 2005 1:53 PM by Scott Stark

    Wrong SECURITY_PRINCIPAL

    Tine Kurent Newbie

      There's a method in one of our Stateless EJB (named Log) that returns the logged in user. The code below prints out:

      User1: b
      User2: b

      Why??? Two Log EJB's were created using different InitialContexts so I would expect that:

      User1: a
      User2: b

      should be printed.

       public static InitialContext getInitialContext(String as_username, String as_password) throws Exception {
       Properties p = new java.util.Properties();
       p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
       p.put(Context.PROVIDER_URL, "localhost:1099");
       p.put(Context.SECURITY_PRINCIPAL, as_username);
       p.put(Context.SECURITY_CREDENTIALS, as_password);
      
       p.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
       p.put("jnp.disableDiscovery", "true");
      
       return new InitialContext(p);
       }
      
       public static void main(String[] args) throws Exception {
       InitialContext lctx1 = getInitialContext("a", "a");
       InitialContext lctx2 = getInitialContext("b", "b");
      
       Log llog1 = ((LogHome)PortableRemoteObject.narrow(lctx1.lookup("MobilePackage/Log"), LogHome.class)).create();
       Log llog2 = ((LogHome)PortableRemoteObject.narrow(lctx2.lookup("MobilePackage/Log"), LogHome.class)).create();
      
       System.out.println("User1: " + llog1.getUserId());
       System.out.println("User2: " + llog2.getUserId());
       }
      
      


        • 1. Re: Wrong SECURITY_PRINCIPAL
          Tine Kurent Newbie

          Just to explain a little bit further: we have a web-app that stores username and password in session (i know ... that's bad) and inside servlets (jsps) is:

          InitialContext lctx = getInitialContext(user, password)
          ...
          lctx.lookup(...)
          ...
          lctx.lookup(...)

          What happenes is that sometimes methods are called with wrong principal.
          We don't actually need different principals on single Thread (like the first code). I found that this can be solved by using InitialContextFactory (instead of JndiInitialContextFactory) with multi-threaded="true" inside auth.conf file.
          Can anything similar be achieved by using JndiInitialContextFactory?

          • 2. Re: Wrong SECURITY_PRINCIPAL
            Scott Stark Master

            The JndiLoginInitialContextFactory is outside or inside of the jboss server? Inside the multi-threaded mode is already the default. Outside it would have to be set by calling SecurityAssociation.setServer().

            I added a feature request for this option:
            http://jira.jboss.com/jira/browse/JBAS-2523