Hi,
I'm trying to get the security portion of a project
working, in which a java client connects to a stateless session bean after
login. As far as I can tell, Orion doesn't seem to properly pass around
principal objects in stateless session beans.
This is the sequence that my test client
runs:
1. Prompt user for user ID &
password
2. Create an InitialContext containing the user ID
and password (as "java.naming.security.principal" and
"java.naming.security.credentials", respectively.)
3. Look up the stateless session bean's
home
4. home.create() the stateless session
bean
So far, so good. The stateless session bean
correctly identifies the user ID within its session context's principal.
Now I clean things up and repeat the process:
5. remove() the stateless session bean
6. close() the InitialContext (just in case... I
even went so far as to remove all of its environment properties.)
7. Log on again: prompt for a different user ID
& password
8. Create a new initial context as in step
2.
9. Look up the stateless session bean's
home
10. home.create() the stateless session
bean
This is where things go wrong. I get the
principal out of the stateless session bean's session context, which indicates
that I'm logged in as the first user! The problem is that the bean is
never calling "setSessionContext" on the second creation. If I re-start
the client however, it works correctly.
The only way I can think of to get around this is
to use a stateful session bean instead... I don't like that, because I
don't need to maintain state! Has anyone else encountered this
problem? Found a solution?
Thanks,
Mike
|
- RE: Security bug with application clients? Michael Jara
- RE: Security bug with application clients? elephantwalker
- Re: Security bug with application clients? Lachezar Dobrev
- RE: Security bug with application clients? Dvornikov Victor
- Re: Security bug with application clients? Michael Jara
- Re: Security bug with application clients? Tim Endres
- RE: Security bug with application clients? cybermaster
- RE: Security bug with application clients? Dvornikov Victor