Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3227

When a Stateless Session Bean is used as a REST-Resource, calling getUserPrincipal() on an injected SecurityContext sometimes returns null

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • EAP 6.1.0.Alpha (7.2.0.Final)
    • 7.0.2.Final, 7.1.0.CR1b, 7.1.0.Final, 7.1.1.Final
    • REST, Web
    • None
    • Hide

      1. Get a fresh copy of JBoss AS 7.1.0.CR1b "Flux Capacitor", unpack & start standalone mode
      2. Clone sample project under https://github.com/phiber/jboss7-3227-sample
      3. In sample project, run mvn install jboss-as:deploy
      4. In sample project, run mvn -Pintegration-test verify
      5. Get a cup of coffee & wait, the test will eventually fail
      6. Rerun step 4, the test will now always fail after 1 successful call

      Show
      1. Get a fresh copy of JBoss AS 7.1.0.CR1b "Flux Capacitor", unpack & start standalone mode 2. Clone sample project under https://github.com/phiber/jboss7-3227-sample 3. In sample project, run mvn install jboss-as:deploy 4. In sample project, run mvn -Pintegration-test verify 5. Get a cup of coffee & wait, the test will eventually fail 6. Rerun step 4, the test will now always fail after 1 successful call
    • Hide

      3 possible workarounds:

      • Disable EJB pooling
      • Use parameter injection for the SecurityContext
      • Use the equivalent methods on the EJB SessionContext
      Show
      3 possible workarounds: Disable EJB pooling Use parameter injection for the SecurityContext Use the equivalent methods on the EJB SessionContext

    Description

      Considered the following stateless session bean which is propagated as a REST-Webservice:

      UserPrincipalRESTService.java
      @Path("/test")
public interface UserPrincipalRESTService {

	@GET
	@Produces(MediaType.TEXT_PLAIN)
	String helloUser();
}
      UserPrincipalRESTServiceImpl.java
      @Stateless
@Local
public class UserPrincipalRESTServiceImpl implements UserPrincipalRESTService {

	@Context
	private SecurityContext securityContext;

    public String helloUser() {
		final String userName = securityContext.getUserPrincipal().getName();
		return "Hello " + userName+"!";
	}
}

      After a certain (sometimes very large) amount of GET Requests on the Resource, the injected SecurityContext's user principal suddenly is null and a NPE is thrown. Once this happened, every second call to the resource will throw a NPE until the application server is restarted.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. RESTEASY-676 SecurityContext not suitable for use with pooled objects

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. RESTEASY-678 Static JAX-RS injection into SLSBs leads to stale references

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-engineering-jharting Jozef Hartinger
              pberger_jira Philipp Berger (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: