Just to back up what Jan said....
If you want to access beans that have security constraints, then currently the URL must be one that has an authentication-constraint specified. The happenstance that a browser is actually sending basic authentication information to a non-authenticated URL is not enough to trigger a call to the JBoss authentication mechanisms. You must have an authentication constraint. Do you see a need for it to be any different to this? cheers Jan Bartel wrote: > Ignacio, > > (I'm cross posting this to jboss-dev and jetty-discuss) > > I think your current problem has in fact always been a problem with > your webapp, but it has just been unmasked by a modification to the > thread authentication stuff we did recently. What we did was to ensure > that when a Jetty/JBoss thread has finished servicing a request, the > user principal and credentials were disassociated with the thread - > otherwise all subsquent work done by that thread in servicing another > request would use that security information. > > So, in your case, what I think is happening is that your webapp has > appeared to work in the past because the principal and credentials from > the hit with basic authentication was remaining attached to the > servicing thread, so the subsequent "non-authenticated" hit was in fact > using them. > > I am assuming that you have defined security constraints on your beans - > when these beans are called by a thread that has been through the > basic authentication, the access proceeds ok. Now when these beans are > called by a thread which has not been through any authentication then > naturally they fail due to the lack of any principal or credentials > being set up. > > So, I think the security is in fact working as it should (but maybe not > as you expected). > > Does any of that make sense? > > Jan > > > > > Ignacio Coloma wrote: > > >>Yes! >> >>This is the same bug I posted yesterday. I was wrong identifying it, tried >>today to reproduce the bug but wasn't able. The bug is closed as invalid, >>which is true (I thought the problem could be inside of JBoss). Maybe it has >>something to do with the thread authentication that Greg changed recently? >> >>I use BASIC auth, and if I open an authenticated browser in the protected >>zone of my webapp and another on the free zone (no user/pass) I get an >>exception one of each 3 times more or less. Good, because before reading >>this mail I couldn't remember my exact situation and started thinking that I >>was getting crazy or simply dumb (well, more than usual, that is): >> >>00:48:27,876 WARN [Jetty] WARNING: Servlet Exception for >>/en/publico/articulos/200003 >>java.rmi.RemoteException: checkSecurityAssociation; nested exception is: >> java.lang.SecurityException: Authentication exception, >>principal=null >>java.lang.SecurityException: Authentication exception, principal=null >> at >>org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI >>nterceptor.ja >>va:167) >> at >>org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.jav >>a:91) >> at >>org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:109) >> at >>org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer >>.java:295) >> at org.jboss.ejb.Container.invoke(Container.java:702) >> at >>com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555) >> at >>com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523) >> at >>org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98) >> at >>org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102) >> at >>org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:73 >>) >> at >>org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:76) >> at >>org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:185) >> at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:96) >> at $Proxy67.create(Unknown Source) >> at >>com.myapp.servlet.publico.ConsultarArticulos.service(ConsultarArticulos.java >>:79) >> at >>com.myapp.servlet.AbstractServlet.service(AbstractServlet.java:71) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) >> at >>org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:326) >> at >>org.mortbay.jetty.servlet.Dispatcher.dispatch(Dispatcher.java:259) >> at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:156) >> at com.myapp.servlet.LocaleRedirect.service(LocaleRedirect.java:85) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) >> at >>org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:326) >> at >>org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:572) >> at org.mortbay.http.HttpContext.handle(HttpContext.java:1356) >> at org.mortbay.http.HttpContext.handle(HttpContext.java:1309) >> at org.mortbay.http.HttpServer.service(HttpServer.java:744) >> at org.jboss.jetty.Jetty.service(Jetty.java:530) >> at org.mortbay.http.HttpConnection.service(HttpConnection.java:743) >> at >>org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:916) >> at org.mortbay.http.HttpConnection.handle(HttpConnection.java:758) >> at >>org.mortbay.http.SocketListener.handleConnection(SocketListener.java:145) >> at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:287) >> at org.mortbay.util.ThreadPool$JobRunner.run(ThreadPool.java:715) >> at java.lang.Thread.run(Thread.java:484) >> >> >> >>>-----Mensaje original----- >>>De: jules [mailto:jules]En nombre de Jules Gosnell >>>Enviado el: jueves, 21 de marzo de 2002 0:47 >>>Para: [EMAIL PROTECTED] >>>Asunto: [jetty-discuss] [Fwd: [JBoss-dev] Authentication with Jetty] >>> >>> >>> >>>I guess that this is probably me, but just in case - does it ring any >>>bells ? >>> >>>Jules >>> >>> >>> >>>For the latest information about Jetty, please see >>>http://jetty.mortbay.org >>> >>>To alter your subscription to this list goto >>>http://groups.yahoo.com/group/jetty-discuss >>> >>>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ >>> >>> >>> >> >> >> >>For the latest information about Jetty, please see http://jetty.mortbay.org >> >>To alter your subscription to this list goto >http://groups.yahoo.com/group/jetty-discuss >> >>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ >> >> > > > > > ------------------------ Yahoo! Groups Sponsor ---------------------~--> > Tiny Wireless Camera under $80! > Order Now! FREE VCR Commander! > Click Here - Only 1 Day Left! > http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/CefplB/TM > ---------------------------------------------------------------------~-> > > For the latest information about Jetty, please see http://jetty.mortbay.org > > To alter your subscription to this list goto >http://groups.yahoo.com/group/jetty-discuss > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > -- Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462 Mort Bay Consulting Australia and UK. Mbl Phone: +61-(0)4 17786631 http://www.mortbay.com AU Phone: +61-(0)2 98107029 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
