[flexcoders] AIR/LCDS/EJB Authentication lost when a different RTPM worker thread is used

Wed, 18 Jun 2008 11:27:31 -0700 

Hi!

I am setting up the security for Flex to work together with the EJB 3 
Container security. The user should login within the AIR application 
via a custom login screen and the authentication should be verified 
against the configured JBoss login module. For all further ds 
requests the authorization check should be done for every EJB method 
by the EJB container. All  EJB methods have a 
@javax.annotation.security.RolesAllowed(...) anotation.

The EJBs are called within an assembler.

In principle the process works until the EJB is called by a new RTPM 
worker thread. Within the new RTPM thread the principal is null and 
the authorization fails.

I have setup the security as follows:
*  The custom security and tomcat valve have been setup as described 
in the lcds docu (copy jars, copy context.xml)
* The services-config.xml contains the following part:
    ...
    <security>
        <login-command 
class="flex.messaging.security.TomcatLoginCommand" server="all" />
        <security-constraint id="basic-read-access">
            <auth-method>Custom</auth-method>
            <roles>
                <role>FLEX</role>
            </roles>
        </security-constraint>
    </security>
    ...

* The data-management-config.xml contains the following part:
    <destination id="id">
        <security>
            <security-constraint ref="basic-read-access"/>
        </security>
        <adapter ref="java-dao" />
    ...


* The login is performed within the mxml as follows:

var token:AsyncToken = ds.connect();
token.addResponder(
  new AsyncResponder(
    function():void
    {
      if (ds.connected)
      {
        var channelSet : ChannelSet = ds.channelSet;
        var token : AsyncToken = channelSet.login("user", "pwd");

        token.addResponder(new AsyncResponder
        (
        function(event:ResultEvent, token:Object=null):void
        {
        switch(event.result)
        {
          case "success":
          Alert.show("Login success");
...

I get the success result and when the first ejb calls are performed 
from the data service assembler the prinicipal is set and the 
authorization works.

But if the EJB is called within another RTPM worker thread no 
principal is set and the authorization fails.

How can I share the security login context over more than one worker 
thread?

Thanks in advance,
taze

Reply via email to