[SEAMSECURITY-110] Document that an implementation of the Authenticator interfaces must not be @Stateless - JBoss Issue Tracker

Details

Type: Feature Request
Status: Resolved (View Workflow)
Priority: Blocker
Resolution: Done
Affects Version/s: 3.1.0.Beta3
Fix Version/s: 3.1.0.Beta4
Labels:
None

Affects:

Release Notes

Description

Document that an implementation of the Authenticator interface must not be @Stateless. It is not obvious from the documentation and can cause fatal bug in an application. The bug may not actually be reproducible in a development environment and only manifest itself in production, when the SLSB pool serves different instances for each invocation.

Besides a note in the docs, I would suggest that seam-security validates this, e.g.:

    public void validateAuthenticatorImplementation(@Observes ProcessSessionBean<Authenticator> event)

        if (SessionBeanType.STATELESS.equals(event.getSessionBeanType()))

            event.addDefinitionError(new IllegalStateException("Authenticator " + event.getBean().getClass() + " cannot be a Stateless Session Bean"));

Gliffy Diagrams

Issue Links

relates to

SEAM-106 seam booking - an implementation of Authenticator must not be @Stateless

Resolved

Activity

Hide

Permalink

Shane Bryzak added a comment - 11/Oct/11 2:22 AM

Docs and security extension updated, thanks Jozef.

Show

Shane Bryzak added a comment - 11/Oct/11 2:22 AM Docs and security extension updated, thanks Jozef.

People

Assignee:

Shane Bryzak

Reporter:

Jozef Hartinger

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

07/Oct/11 12:01 PM

Updated:

20/Oct/11 6:15 PM

Resolved:

11/Oct/11 2:22 AM

Development

Agile

View on Board