Uploaded image for project: 'EJB 3.0'
  1. EJB 3.0
  2. EJBTHREE-384

Security Problem - Server fails to clear user authentication after standalone client disconnects

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • EJB 3.0 RC4 - PFD
    • EJB 3.0 RC3
    • None
    • None

      I have a standalone client that calls a stateless session bean through the remote interface via RMI. The method in the session bean has a security domain and requires a specific role by an authenticated user. I use the DatabaseServerLoginModule for authentication.

      As expected, if I call the method from the client without logging in on the client, I get a security exception. When I login, using the ClientLoginModule, the method succeeds.

      The problem is that after I log in once and subsequently logout and/or kill the client, the server never clears the authentication and I can continue to call this protected method successfully without ever logging in again. Even after restarting the client process, I can still access the method without logging in. The only thing that resets the authentication is to stop the JBoss server and restart it again. THIS IS A MAJOR PROBLEM as any client that gets the same thread has all the roles of the previously logged in user without having to log in and authenticate.

      I log out on the client however that can't have any affect on the server because once you end the method call to the session bean, you no longer have a connection to the server thread. I can't conceive of how to logout on the server itself from the client since you can't guarantee getting the same thread again. Since the server automatically sets the principal and credential when the client connects, it seems it should automatically unset it when the client connection ends.

      I've read the security documentation and tried everything I could glean from it including setting the DefaultCacheTimeout on the JAASSecurityManager to zero, but nothing has any affect on this problem. U

      I came up with a simple example application that reproduces the problem. All it has is one session bean with one method, the datasource and the login-config configurations. And a simple client app that calls the server. I can provide the code if needed although there really isn't anything to it.

              wdecoste1@redhat.com William Decoste (Inactive)
              jwynett Luigi Putanesca (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: