2 Replies Latest reply on Jun 18, 2012 9:42 AM by jaikiran

    Remote Ejb Calls - SimpleSecurityManager and JBossCachedAuthenticationManager do not work correctly

    michael_gronau

      Hello,

      As far as I still have the problem, that my custom login module is called with every remote ejb invocation i investigated a little bit more the jboss code. I see that the method SimpleSecurityManager.push(...) is called for every ejb call and here for every call a new instance of SimplePrincipal is created for the SubjectInfo. Then the method authenticate() is called. Here it delegates to the JBossCachedAuthenticationManager which tries to find an already cached principal, but this cannot work, because the get function of the cache returns null. It returns null, because of the newly created SimplePrincipal for the current invocation. The JBossCachedAuthenticationManager pushes back my principal (created in my custom login module), but cannot find it again.

      It's like this for every remote ejb call:

       

      1. call to the ejb

      2. SimpleSecurityManager creates a SubjectInfo with a new(!) instance of SimplePrincipal

      3. SimpleSecurityManager tries to authenticate -> delegates to JBossCachedAuthenticationManager

      4. JBossCachedAuthenticationManager tries to find cached principal with a call to method get() with the principal instance from SimpleSecurityManager

      5. JBossCachedAuthenticationManager finds no cached instance and starts a new authentication with my custom login module

      6. My custom login module creates a new instance of Principal and commits it(), creates a Group called CallerPrincipal, adds the new Principal and adds this group to current subject

      7. JBossCachedAuthenticationManager pushes back my Principal correctly

      8. Ejb is called.

       

      9. when you call the ejb again (in a simple for-loop or somehting like that) all starts again at point 1. The problem is the creation of the new Principal instance for every remote ejb call.

       

      I think https://issues.jboss.org/browse/AS7-3525 should be reopened. What do you think?

       

      With best regards,

       

      Michael Gronau