Security bug with application clients?

[Michael Jara]

Hi,   I'm trying to get the security portion of a project working, in which a java client connects to a stateless session bean after login.  As far as I can tell, Orion doesn't seem to properly pass around principal objects in stateless session beans.   This is the sequence that my test client runs:   1. Prompt user for user ID & password 2. Create an InitialContext containing the user ID and password (as "java.naming.security.principal" and "java.naming.security.credentials", respectively.) 3. Look up the stateless session bean's home 4. home.create() the stateless session bean   So far, so good.  The stateless session bean correctly identifies the user ID within its session context's principal.  Now I clean things up and repeat the process:   5. remove() the stateless session bean 6. close() the InitialContext (just in case... I even went so far as to remove all of its environment properties.) 7. Log on again: prompt for a different user ID & password 8. Create a new initial context as in step 2. 9. Look up the stateless session bean's home 10. home.create() the stateless session bean   This is where things go wrong.  I get the principal out of the stateless session bean's session context, which indicates that I'm logged in as the first user!  The problem is that the bean is never calling "setSessionContext" on the second creation.  If I re-start the client however, it works correctly.   The only way I can think of to get around this is to use a stateful session bean instead...  I don't like that, because I don't need to maintain state!  Has anyone else encountered this problem?  Found a solution?   Thanks, Mike