3 Replies Latest reply on Aug 15, 2006 8:49 AM by chris griffith

    JAAS multi-threaded=true causing SecurityException principal

    Sebastian Degenaar Newbie

      We have setup a seperate tomcat installation (tried with both 5.5.9 and the latest 5.5.17) talking to jboss 4.0.2 (also tried 4.0.4). We are using JAAS authentication with a custom login module authenticating against Active Directory. We are chaining authentication using the org.jboss.security.ClientLoginModule required attribute in the tomcat login.conf. We also have the attributes set for password-stacking = "useFirstPass"; This all works perfect if we use multi-threaded=false. Pretty much single user access. If we set this to true we have very intermident results. Sometimes it works fine, then you will get SecurityExcpetion: Insufficient method permissions, principal=null. Refresh a few times and it seems to find the principal again. I have seemed to reproduce it failing everytime by calling a secured session bean method from a jsp page multiple times and doing a refresh halfway through. This will always cause it to get the Security exception. Hit the refresh a few more times and it seems to find it again. Very strange behaviour. This is possibly happening in our production system as we are using struts. Possibly it is failing a similar way in that it is calling an action and then redirecting...... I have tried many things but am lost for ideas. Has anyone seen anything like this or have any ideas...

      Much appreciated,
      cheers!