-
Bug
-
Resolution: Obsolete
-
Major
-
JBossAS-4.0.4.GA
-
None
-
Linux splice 2.6.16-rc4 #9 PREEMPT Thu May 4 11:30:04 NZST 2006 i686 GNU/Linux
java version "1.6.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-beta-b59g)
Java HotSpot(TM) Client VM (build 1.6.0-beta-b59g, mixed mode, sharing)
Release ID: JBoss [Zion] 4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)Linux splice 2.6.16-rc4 #9 PREEMPT Thu May 4 11:30:04 NZST 2006 i686 GNU/Linux java version "1.6.0-beta" Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-beta-b59g) Java HotSpot(TM) Client VM (build 1.6.0-beta-b59g, mixed mode, sharing) Release ID: JBoss [Zion] 4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)
-
Compatibility/Configuration
After looking up home using JndiLogincontextFactory the jboss securityassociation is stored in the threadlocal.
So if we persist the handle and then retrieve it, or access it in another thread the security infomation is lost.
How to get the EJBObject in a secure way
first accessed by: kermit
12:00:37,427 INFO [STDOUT] 0
second access gives
12:00:38,645 ERROR [STDERR] java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=SessionSecurityBean, method=getEJBObject, interface=HOME, requiredRoles=[basic], principalRoles=[]
Even if we <unchecked/> getEJBObject the security information is lost and subsequent bean members are executed in a undefined security context.
The only work around I have is to lookup the HOME first. This sets the threads SecurityAssociation again.
Shouldn't the Remote stub or Handle contain a clone or something to automatically reconstruct the SecurityAssociation, and what are the implications on security if I leave a preauthenticated handle lying around somewhere. I dont think the J2EE spec doesn't cover this aspect of security.
I have worked on a testcase ant build file and all, please email me for it. warren.crossing@nec.com.au.
Thanks.
