1 Reply Latest reply on Mar 27, 2006 8:29 AM by j2ee_junkie

    Push/PopSubjectContext

    matthiasd

      Hi,

      I'm trying to access a session bean on a second JBoss instance. Therefore I do a login for the second server using the method SecurityAssociation.pushSubjectContext(...). After the call I use SecurityAssociation.popSubjectContext() to restore the previous login. But it seems that after this call the login is still the principal of the second login!
      So I looked up the code for popSubjectContext, which looks like this:

      public static SubjectContext popSubjectContext()
       {
       SecurityManager sm = System.getSecurityManager();
       if (sm != null)
       sm.checkPermission(setPrincipalInfoPermission);
      
       SubjectContext sc = threadSubjectStacks.pop();
       return sc;
       }


      In my opinion something is missing here. The current Prinicipal and Credentials should be set to the values of the SubjectContext element at the top of the stack. Something like this:

      public static SubjectContext popSubjectContext()
       {
       SecurityManager sm = System.getSecurityManager();
       if (sm != null)
       sm.checkPermission(setPrincipalInfoPermission);
      
       SubjectContext sc = threadSubjectStacks.pop();
       SubjectContext top = threadSubjectStacks.peek();
       if (server) {
       threadPrincipal.set(top.getPrincipal());
       threadCredential.set(top.getCredential());
       } else {
       SecurityAssociation.principal = top.getPrincipal();
       SecurityAssociation.credential = top.getCredential();
       }
       return sc;
       }


      Is this correct? Or am I doing something really bad here?
      As a workaroud I am currently doing this in my code, which does the same without patching SecurityAssociation:

      // login to second JBoss
      SecurityAssociation.pushSubjectContext(null, new SimplePrincipal(username), password.toCharArray());
      // do call on second JBoss
      ...
      // now restore the previous login
      // remove second login first
      SecurityAssociation.popSubjectContext();
      // get previuous login
      SubjectContext previous = SecurityAssociation.popSubjectContext();
      // re-login with previous principal and credentials
      SecurityAssociation.pushSubjectContext(null, previous.getPrincipal(), previous.getCredential());
      


      Thanks for any comments on this!

        • 1. Re: Push/PopSubjectContext
          j2ee_junkie

          MatthiasD,

          I would first like to impress apon you not to use SecurityAssocaition directly. The purpose of the ClientLoginModule is to hide the details of this class so if the API changes, you are sheiled from such change. That said, the API of SecurityAssocation has changed since JBoss 4.0.2 to reflect what you have suggested.

          enjoy, cgriffith