From: Scott M S. (JIRA) <jir...@jb...> - 2005-05-31 23:32:38
|
[ http://jira.jboss.com/jira/browse/JBAS-1852?page=history ] Scott M Stark closed JBAS-1852: ------------------------------- Resolution: Done This has been fixed for 4.0.3. > Unexpected Principal (Security Identity) Propagation Switch > ----------------------------------------------------------- > > Key: JBAS-1852 > URL: http://jira.jboss.com/jira/browse/JBAS-1852 > Project: JBoss Application Server > Type: Bug > Components: EJBs, Security, Web (Tomcat) service > Versions: JBossAS-4.0.2 Final > Environment: JBoss 4.0.2 > Reporter: Soon Shin > Assignee: Scott M Stark > Fix For: JBossAS-4.0.3 Final, JBossAS-5.0 Alpha > Attachments: jasshowto_bug_JBAS-1852.zip > > > Problem Definition: > I have a web application utilizing JAAS (form based authentication, DatabaseServerLoginModule), Struts, Session Beans and Entity Beans. This configuration is working successfully, but I have noticed an unexpected switch in the Principal that is associated with the EJB invocation layer when more than one call to a session bean is made from the web tier (Struts Action) within one request. > Permissions & Security Identity > Web Tier - User Credentials > - id=joe > - password=pw > - role=administratorRole > Session Bean (fooSessionBean) > - Permissions: administratorRole, internalRole > - Security Identity (run-as): internalRole > Entity Bean (fooEntityBean) > - Permission: internalRole > - Security Identity (run-as): internalRole > Note: fooSessionBean.bar() calls fooEntityBean.bar() > Scenario > 1) User logs in via form authentication (j_security_check) > 2) User clicks on link that invokes an action that results in 2 calls to fooSessionBean.bar(). > 2a) First call to fooSessionBean.bar() is successful. > 2b) Second call to fooSessionBean.bar() fails. > Code: > javax.security.auth.login.FailedLoginException: No matching username found in Principals > I set a breakpoint in the JaasSecurityManager.isValid(..) (line 251) and noticed that this method is called on the 'second' invocation of the fooSessionBean.bar() where the > Code: > principal = [roles=[internalRole],principal=anonymous] > credential = null > > It appears as if the security-identity (run-as) defined for fooSessionBean is replacing the original principal credentials of the user that logged in during the first call to fooSessionBean.bar(). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira |