1 Reply Latest reply on Mar 30, 2009 9:46 AM by Ralf Steppacher

    Caller Principal Set Once And Forever

    Ralf Steppacher Newbie


      I am migrating an existing application from JBoss 4 to 5. I am trying to configure security with JAAS but I am struggling with what probably is a simple configuration setting.

      I have a servlet that is protected with BASIC authentication. I am using the UsersRolesLoginModule to specify my own properties files for users and roles for now.
      The servlet calls a stateless session bean. The application does its own authorization based on the principal returned by EJBContext.getCallerPrinciple().

      The problem: The caller principle in the context handed to my stateless session bean is set exactly once when the first user logs in. And never changes ever after. If other users make subsequent calls (properly authenticated), the EJBContext always returns the principal of the first user (which srews up the authorization).
      As the JBoss 4 version of the application works I assume the principal in the context did change using that server version.

      Any ideas what I might have missed in the configuration? Or am I mistaken elsewhere?

      I found a workaround solution in the JBoss WIKI:

      Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");

      This seems to return the logged in user correctly when queried in the session bean. Is this the proper way to find out about the logged in user making a request?

      Thanks and regards