Details
-
Bug
-
Resolution: Done
-
Major
-
JBossAS-4.0.2 Final
-
None
Description
Problem Definition:
I have a web application utilizing JAAS (form based authentication, DatabaseServerLoginModule), Struts, Session Beans and Entity Beans. This configuration is working successfully, but I have noticed an unexpected switch in the Principal that is associated with the EJB invocation layer when more than one call to a session bean is made from the web tier (Struts Action) within one request.
Permissions & Security Identity
Web Tier - User Credentials
- id=joe
- password=pw
- role=administratorRole
Session Bean (fooSessionBean)
- Permissions: administratorRole, internalRole
- Security Identity (run-as): internalRole
Entity Bean (fooEntityBean)
- Permission: internalRole
- Security Identity (run-as): internalRole
Note: fooSessionBean.bar() calls fooEntityBean.bar()
Scenario
1) User logs in via form authentication (j_security_check)
2) User clicks on link that invokes an action that results in 2 calls to fooSessionBean.bar().
2a) First call to fooSessionBean.bar() is successful.
2b) Second call to fooSessionBean.bar() fails.
Code:
javax.security.auth.login.FailedLoginException: No matching username found in Principals
I set a breakpoint in the JaasSecurityManager.isValid(..) (line 251) and noticed that this method is called on the 'second' invocation of the fooSessionBean.bar() where the
Code:
principal = [roles=[internalRole],principal=anonymous]
credential = null
It appears as if the security-identity (run-as) defined for fooSessionBean is replacing the original principal credentials of the user that logged in during the first call to fooSessionBean.bar().
