RE: Security bug with application clients?

[elephantwalker]

its in the "clean things up" step that something went wrong.   You need to do a session.invalidate(), and then create a new guest session with a session.create("true").  Here is the bit in the RequestProcessor of the BluePrint (petstore):             if (event instanceof LogoutEvent) {              ...   whatever   ...                           session.invalidate();              ....whatever ....                     HttpSession validSession = req.getSession(true);              ...whatever ...     }   This is usually done in a servlet. I would do the same thing here. Instead of using the client - > slsb -> whatever ... use client -> servlet -> slsb -> whatever bean. This way, you can abstract whatever login/logout and session control directly with the servlet, and you also abstract instancing the slsb -> whatever bean. The servlet can also be loadbalanced (the slsb can't be) so if you want failover capability, you get it.   regards,   the elephantwalker       -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Jara Sent: Monday, June 11, 2001 6:51 PM To: Orion-Interest Subject: Security bug with application clients? Hi,   I'm trying to get the security portion of a project working, in which a java client connects to a stateless session bean after login.  As far as I can tell, Orion doesn't seem to properly pass around principal objects in stateless session beans.   This is the sequence that my test client runs:   1. Prompt user for user ID & password 2. Create an InitialContext containing the user ID and password (as "java.naming.security.principal" and "java.naming.security.credentials", respectively.) 3. Look up the stateless session bean's home 4. home.create() the stateless session bean   So far, so good.  The stateless session bean correctly identifies the user ID within its session context's principal.  Now I clean things up and repeat the process:   5. remove() the stateless session bean 6. close() the InitialContext (just in case... I even went so far as to remove all of its environment properties.) 7. Log on again: prompt for a different user ID & password 8. Create a new initial context as in step 2. 9. Look up the stateless session bean's home 10. home.create() the stateless session bean   This is where things go wrong.  I get the principal out of the stateless session bean's session context, which indicates that I'm logged in as the first user!  The problem is that the bean is never calling "setSessionContext" on the second creation.  If I re-start the client however, it works correctly.   The only way I can think of to get around this is to use a stateful session bean instead...  I don't like that, because I don't need to maintain state!  Has anyone else encountered this problem?  Found a solution?   Thanks, Mike