Details
-
Bug
-
Resolution: Unresolved
-
Major
-
JBossAS-4.2.3.GA
-
None
Description
Because of the Anonymous issue as reported in https://jira.jboss.org/browse/JBAS-3945, we did coding something similar as following to workaround the issue. This was suggested by the JBOSS support team.
---------------------------------------------------------------------------------------------
When we are changing the principal (performing another login) we need to call
these Jboss APIs in our login module:
SecurityAssociation.popRunAsRole()
SecurityAssociation.pushRunAsRole()
This will pop the old run-as role and push the new run as role (which we want
the second transaction to run as).
Change the JAAS login module to explicitly set the new principal and
credentials during login. This was after the callback handler handle method
was invoked and we had the principal and credentials:
SecurityAssociation.setPrincipal(new SimplePrincipal(username));
SecurityAssociation.setCredential(password);
--------------------------------------------------------------------------------------------------------------------------
After doing this, we started seeing priniciple is shared amoung the threads. For example, user 1 logs in and see's information about user 2. This happens only after heavy load testing. This is also reproducible after couple of hours of running load test.
If we remove the above code, then the issue goes away. But anonymous issue appears.
Any Help is appreciated in helping finding the root cause of the issue.
