geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4119) request.isUserInRole("some-role") always return false after @EJB injection
Date Tue, 17 Jun 2008 17:01:45 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12605656#action_12605656
] 

David Jencks commented on GERONIMO-4119:
----------------------------------------

This is caused by the geronimo-openejb ThreadContextListener not tracking the ContextID from
the caller nor resetting it on exit.  what's going on is:

1. request to servlet starts, has resource/data permissions checked.
2. initial request then creates servlet.  This results in evaluating injections and looking
up the injected ejb
3. entering openejb code to create the ejb sets the contextID to the ejb apps ContextID
4. ejb stuff initialized
5 (missing) web app ContextID should be reset on exit
6. Now that servlet is created, the service methods are called
7. The web role ref permission is checked against the current ContextID which is for the ejb
app -- so it fails.

After the first request, the servlet has already been created so the role-ref is checked against
the correct contextID.  However if you checked the role-ref AFTER calling the ejb you'd run
into the same problem.

> request.isUserInRole("some-role") always return false after @EJB injection
> --------------------------------------------------------------------------
>
>                 Key: GERONIMO-4119
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4119
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, Tomcat, web
>    Affects Versions: 2.0.2
>         Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14
>            Reporter: Stig Even Larsen
>            Priority: Blocker
>
> Se mailing list discussion: http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html
> To recreate the malfunction you need to do the following:
> 1.Create an EAR with a local session bean and a war
> 2. Use the default console security realm (geronimo-admin) for protecting the {context-path}/protected/*
area
> Create a new group named "partnergroup" and add the "system" user to it. Map the "partnergroup"
to the partners role in deployment descriptor (geronimo-web.xml)
> 3. Create a simple but form protected(j_security_check) *jsp* page ex: {context-path}/protected/test.jsp.
> {code:title=/protected/test.jsp|borderStyle=solid}
> <%@page contentType="text/html" pageEncoding="UTF-8"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>    "http://www.w3.org/TR/html4/loose.dtd">
> <html>
>     <head>
>         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
>         <title>JSP Test</title>
>     </head>
>     <body>
>         <h2>Role test</h2>
>         <%if(request.isUserInRole("partners")){%>
>             user is partner :)
>         <%}else{%>
>             user is NOT partner :(
>         <%}%>
>     </body>
> </html>
> {code}
> 4. Create s simple Session Bean (EJB) with a simple local method:
> {code:title=TimeUtilsBean.java|borderStyle=solid}
> @Stateless
> public class TimeUtilsBean implements TimeUtilsLocal {
>     public String getString() {
>         return "Hello from Stateless EJB!";
>     }
>  
> }
> {code}
> 5. Create a simple but form protected(j_security_check) *Servlet* that uses the local
EJB (ex: {context-path}/protected/info)
> {code:title=/protected/Info.java|borderStyle=solid}
> import java.io.*;
> import java.net.*;
> import javax.ejb.EJB;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import javax.naming.*;
> import javax.annotation.security.*;
> import no.nimra.geronimo.test.TimeUtilsLocal;
> import no.nimra.nis.admin.ejb.*;
> @DeclareRoles({"administrators", "partners", "users"})
> public class Info extends HttpServlet {
>     @EJB
>     private TimeUtilsLocal timeUtilsBean;
>     
>     
>     protected void processRequest(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         response.setContentType("text/html;charset=UTF-8");
>         PrintWriter out = response.getWriter();
>         out.println("SessionID: " + request.getRequestedSessionId());
>         System.out.println("Principal: " + request.getUserPrincipal().getName());
>         if (request.isUserInRole("partners")) {
>             System.out.println("User has partners-role...");
>             out.println("User has partners-role...");
>         } else {
>             System.out.println("User has NOT partners-role...");
>             out.println("User has NOT partners-role...");
>         }
>         try {
>             out.println("<html>");
>             out.println("<head>");
>             out.println("<title>Servlet Info</title>");
>             out.println("</head>");
>             out.println("<body>");
>             out.println("<h1> " + request.getContextPath() + "</h1>");
>             if (request.getUserPrincipal() != null) {
>                 out.println("Principal: " + request.getUserPrincipal().getName());
>             }
>             out.println(timeUtilsBean.getString());
>             out.println("</body>");
>             out.println("</html>");
>         } finally {
>             out.close();
>         }
>     }
>     protected void doGet(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         processRequest(request, response);
>     }
>     protected void doPost(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         processRequest(request, response);
>     }
> }
> {code}
> Description:
> Access http://{context-path}/protected/test.jsp. After successfull login you will se
that your login has "partners" role. As expected.
> If you access the servlet at http://{context-path}/protected/info you will notice that
you do not have the "partners" role.  
> If you remove the @EJB injection it behaves as expected.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message