My application has an ejb 2.1 timer, which triggers some work. The work must be
done using the same principal that requested the work. So, I start the timer
with an info object that contains the principal's login and password. When the
timer expires, I try to authenticate using principal data from the info object,
and run the task. I understand that it is not possible to change principal
during execution of a business method, so I use the same code that I use on the
client to authenticate, create a new bean and run it's methods, thus making the
ejbTimeout method a client to the container. Here is the code:
| public void ejbTimeout(Timer timer) {
| final OptInfo info = (OptInfo)timer.getInfo();
| try {
| Properties p = new Properties();
| p.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jboss.security.jndi.LoginInitialContextFactory");
| p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
| p.put(Context.PROVIDER_URL, "jnp://localhost:1099");
| p.put(Context.SECURITY_PRINCIPAL, info.user.username);
| p.put(Context.SECURITY_CREDENTIALS, info.user.password);
| p.put(Context.SECURITY_PROTOCOL, "client-login");
|
| InitialContext ctx = new InitialContext(p);
| Object home = ctx.lookup(WalkOptimizerHome.JNDI_NAME);
|
| WalkOptimizerHome optimizerHome =
(WalkOptimizerHome)PortableRemoteObject.narrow(home, WalkOptimizerHome.class);
| WalkOptimizer optimizer = optimizerHome.create();
|
| optimizer.runOptimization(info);
| } catch (NamingException e) {
| Category.getInstance("WalkOptimizer").error("login failed
(naming): " + e.getMessage());
| (remote): " + e.getMessage());
| } catch (CreateException e) {
| Category.getInstance("WalkOptimizer").error("login failed
(create): " + e.getMessage());
| } catch (SessionException e) {
| Category.getInstance("WalkOptimizer").error("login failed
(session): " + e.getMessage());
| }
| }
|
Notice that I don't use the default InitialContext with properties supplied
from the container, but force properties that would make the lookup be executed
over the network. I also use the WalkOptimizer bean over the remote home and
interface, hoping to hide the fact that these calls come from within the
container. However, every time I get this in the log:
| 2005-05-09 12:55:25,803 ERROR [WalkOptimizer] login failed (remote):
SecurityException; nested exception is:
| java.lang.SecurityException: Insufficient method permissions,
runAsPrincipal=ejbTimeout, method=create, interface=HOME,
requiredRoles=[admin], runAsRoles=[ejbTimeout]
|
I understand this means that the create call was made over the network
(interface=HOME not LOCALHOME), but JBoss still communicated the current
principal (ejbTimeout) behind my back, no matter what I specify in the
InitialContext properties.
My core intention to postpone some work, but the work must still be executed by
a principal that represents a logged-in user. Maybe this is a completely wrong
approach - in this case please don't bother with my code, but point me in the
correct direction.
I have carefully studied posts with similar titles, and all I see is some
static security configuration that will make ejbTimeout or onMessage execute as
some static principal, but this is not what I need.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3876975#3876975
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3876975
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
