Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3227

When a Stateless Session Bean is used as a REST-Resource, calling getUserPrincipal() on an injected SecurityContext sometimes returns null

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • EAP 6.1.0.Alpha (7.2.0.Final)
    • 7.0.2.Final, 7.1.0.CR1b, 7.1.0.Final, 7.1.1.Final
    • REST, Web
    • None
    • Hide

      1. Get a fresh copy of JBoss AS 7.1.0.CR1b "Flux Capacitor", unpack & start standalone mode
      2. Clone sample project under https://github.com/phiber/jboss7-3227-sample
      3. In sample project, run mvn install jboss-as:deploy
      4. In sample project, run mvn -Pintegration-test verify
      5. Get a cup of coffee & wait, the test will eventually fail
      6. Rerun step 4, the test will now always fail after 1 successful call

      Show
      1. Get a fresh copy of JBoss AS 7.1.0.CR1b "Flux Capacitor", unpack & start standalone mode 2. Clone sample project under https://github.com/phiber/jboss7-3227-sample 3. In sample project, run mvn install jboss-as:deploy 4. In sample project, run mvn -Pintegration-test verify 5. Get a cup of coffee & wait, the test will eventually fail 6. Rerun step 4, the test will now always fail after 1 successful call
    • Hide

      3 possible workarounds:

      • Disable EJB pooling
      • Use parameter injection for the SecurityContext
      • Use the equivalent methods on the EJB SessionContext
      Show
      3 possible workarounds: Disable EJB pooling Use parameter injection for the SecurityContext Use the equivalent methods on the EJB SessionContext

      Considered the following stateless session bean which is propagated as a REST-Webservice:

      UserPrincipalRESTService.java
      @Path("/test")
public interface UserPrincipalRESTService {

	@GET
	@Produces(MediaType.TEXT_PLAIN)
	String helloUser();
}
      UserPrincipalRESTServiceImpl.java
      @Stateless
@Local
public class UserPrincipalRESTServiceImpl implements UserPrincipalRESTService {

	@Context
	private SecurityContext securityContext;

    public String helloUser() {
		final String userName = securityContext.getUserPrincipal().getName();
		return "Hello " + userName+"!";
	}
}

      After a certain (sometimes very large) amount of GET Requests on the Resource, the injected SecurityContext's user principal suddenly is null and a NPE is thrown. Once this happened, every second call to the resource will throw a NPE until the application server is restarted.

              rhn-engineering-jharting Jozef Hartinger
              pberger_jira Philipp Berger (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: