1 Reply Latest reply on May 11, 2006 8:06 AM by chris griffith

    Race Condition/Contention Issue using JAAS Custom Security i

    Suman Grandhi Newbie

      I have a classic three tier application: Core, EJB3, and 2 separate Web Projects: WebUserProject and WebAdminProject

      I have successfully configured JAAS Custom Security that can be utilized by both web projects. My custom class uses various EJBs to fully provide the authentication service needed and thus I put my code class into one of the web projects, the WebUserProject.

      Upon starting the server, these are the scenarios that I encountered during my testing.

      1)First user to login is an Admin User into the WebAdminProject, authentication fails!
      2)Next a client user logs into the WebUserProject, authentication suceeds.
      3)Third the same admin user tries to attempt to login again into the WebAdminProject and this time since it is after a successful client user login in step 2, the authentication suceeds.

      So what it seems like is that the only way authentication works in the WebAdminProject is if a user, any user has previously logged into the WebUserProject. Keep in mind that the custom code module is located in the WebUserProject, and I have a suspicion that the location of this file may have a lot to do with this bug.

      Is location the real issue?
      If so where should I put the class?
      -In a separate jar placed in the EAR?
      -Make two copies of the same custom classes and put them into each of the web projects?

      Thanks!

        • 1. Re: Race Condition/Contention Issue using JAAS Custom Securi
          chris griffith Expert

          sumankg,

          You have not really provided enough detail to really understand what is going on, but I will give it a stab anyway. From what you have described, I would say location is your problem. If you have custom login modules that are needed by two or more web applications (in separate wars), then you need to externalize those modules so they can be shared. Another less attractive option (which may not be possible depending on what your login modules do) is to have a copy in each war. You have not mentioned if your EJB's are secured. I hope so.

          If this does not make sense, reply with details about your war/ear deployments that describe where stuff is. As well, some info on how your security is configured. Finally, some TRACE logging of what happens when things fail.

          later, cgriffith