geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevan Miller (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-2100) Subject can remain attached to thread on return from web app request, causing problems later on subsequent use of that thread
Date Fri, 09 Jun 2006 23:56:30 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-2100?page=comments#action_12415626 ] 

Kevan Miller commented on GERONIMO-2100:
----------------------------------------

For posterity, here's the error that you get:

07:47:21,992 WARN  [SystemExceptionInterceptor] MyEjbTest
java.lang.AssertionError: No registered context
	at org.apache.geronimo.security.ContextManager.getCurrentContext(ContextManager.java:129)
	at org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:95)
	at org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98)
	at org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198)
	at org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
	at org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
	at org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:547)
	at org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
	at org.openejb.GenericEJBContainer$$FastClassByCGLIB$$60a0c356.invoke(<generated>)
	at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
	at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
	at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122)
	at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817)
	at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
	at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
	at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
	at org.openejb.EJBContainer$$EnhancerByCGLIB$$19a9c94a.invoke(<generated>)
	at org.openejb.server.axis.EJBContainerProvider.processMessage(EJBContainerProvider.java:103)
	at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
	at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
	at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
	at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
	at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454)
	at org.apache.geronimo.axis.server.AxisWebServiceContainer.invoke(AxisWebServiceContainer.java:119)
	at org.apache.geronimo.jetty.JettyEJBWebServiceContext.handle(JettyEJBWebServiceContext.java:153)
	at org.mortbay.http.HttpServer.service(HttpServer.java:909)
	at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)
	at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)
	at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
	at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
	at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
	at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

> Subject can remain attached to thread on return from web app request, causing problems
later on subsequent use of that thread
> -----------------------------------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-2100
>          URL: http://issues.apache.org/jira/browse/GERONIMO-2100
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: web
>     Versions: 1.2, 1.1
>     Reporter: David Jencks
>     Assignee: David Jencks
>     Priority: Blocker
>      Fix For: 1.2, 1.1

>
> there's no code to reset ContextManager.currentCaller in the jetty integration.  It gets
set o.m.j.servlet.WebApplicationHandler.dispatch checking security credentials >>>>>>
InternalJAASJettyRealm, and also by JettyEJBWebServiceContext somewhat more directly.
> The problem appears to occur when a subject is left on a thread and the thread is used
for an unauthenticated ejb web services call.  The responsibility for setting the subject
on unauthenticated ejb web services calls is too distributed, but what actually sets it is
GenericEJBContainer.DefaultSubjectInterceptor, which only installs the defaultSubject if there
is no subject already set.
> A minimal fix is to set the currentCaller to null if no authentication is needed in JettyEJBWebServiceContext:
>                 if (authenticator != null) {
>                     String pathInContext = org.mortbay.util.URI.canonicalPath(req.getPath());
>                     if (authenticator.authenticate(realm, pathInContext, req, res) ==
null) {
>                         throw new HttpException(403);
>                     }
>                 } else {
>                     //EJB will figure out correct defaultSubject shortly
>                     //TODO Need to check that the handler chain will see the correct
defaultSubject 
>                     ContextManager.setCurrentCaller(null);
>                 }
> However, it would be much better to make sure that in addition the subject can't escape
back into the calling environment.  This can be done easily in JettyEJBWebServiceContext but
requires a simple subclass of o.m.j.servletWebApplicationHandler for normal servlet requests.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message