I have a J2EE application that runs on JBoss 4.0.3. The application consists of a web front-end and a EJB 2.1 Stateless Session Bean to implement our business logic.
Users are authenticated by logging into the web interface. A JAAS LoginModule is used to create a security realm for our web tier (configured in our web.xml & jboss-web.xml files). When a business method is invoked on the SSB the users credentials are correctly propagated to the EJB container (the same security realm has been configured in our jboss.xml file).
At this stage declarative security (to apply role permissions to EJB methods in ejb-jar.xml) and programmatic security (to access users principal & role using the interface methods SessionContext.getCallerPrincipal().getName() & SessionContext.isCallerInRole("Admin") respectively) work correctly.
The problem arises when an EJB makes a remote call to another remote EJB on another host with a different username/password . After successfully returning from this remote call our original SSB appears to have an incorrect SesssionContext.
The remote lookup and operation to the second EJB is done using the following function:
// At this point the SessionContext for the current user on the current local ejb is ok, and we can call local authorized methods
Properties env = new Properties();
InitialContext ctx = new InitialContext(env);
Object o = ctx.lookup(jndiRemote);
BlahManagerRemoteHome home = (BlahManagerRemoteHome) PortableRemoteObject.narrow(o, BlahManagerRemoteHome.class);
BlahManagerRemote manager = home.create();
// after the return the SessionContext for the caller EJB is wrong, and we can no longer call our own (local) ejb methods that have authorization on them
Debug logs after the remote call, upon returning to the 1st EJB:
org.jboss.security.SecurityAssociation.getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@7cf002[Subject(27545610).principals=org.jboss.security.SimplePrincipal@28801046(Admin)org.jboss.security.SimpleGroup@2946678(Roles(members:Admin)),credential.class=java.lang.String@5268497,expirationTime=1165984451664
The getPrincipal call shows the correct original user, however the getSubject call shows the user that was used for the remote call. Does anyone know why this is the case and how to fix it?
Alternatviely as a workaround solution we have considered storing a local copy of the Users details (SessionContext.getUserRole(), etc) in the method and somehow restore them after completing each remote call to the other ejb. Does anyone know how to to reset these details into the current SessionContext?