geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: EJB & Web App losing Subject
Date Tue, 14 Jul 2009 20:13:05 GMT

On Jul 14, 2009, at 11:39 AM, Kory Markevich wrote:

> A web app (built with Spring & GWT) we're building is currently  
> having issues
> with security and EJBs.  Some calls made by the app to EJBs are  
> throwing
> "Unauthorized Access by Principal Denied" exceptions.  Investigating  
> this it
> seems that whenever a new thread in geronimo is started to service  
> the call
> the auth credentials aren't being copied.  For example,  
> ContextManager.login
> is called in thread "http-", and subsequent EJB calls  
> work
> correctly.  Some time later a new thread "http-" is  
> created
> and the EJB call takes place in it.  Geronimo notices that there  
> isn't a
> subject and installs the default subject (using  
> ContextManager.setCallers),
> which of course doesn't have the required principals.
> I'm assuming the thread spawning is normal though I don't know  
> that.  We do
> have another web app, using Spring but not GWT, that is working  
> correctly.
> Both web apps use custom LoginModules, though not the same ones.   
> Could this
> be caused by the web app?  Where could I look to get more information?

What creates the new non-working thread?  In geronimo we generally  
don't assume anything about the relationship between threads so if you  
want the new thread to get a particular security context you'll have  
to install it youself.

Something like

final Subject threadSubject = ContextManager.getCurrentCaller();
Runable work = new Runable() {

public void run() {
   ContextManager.setCallers(threadSubject, threadSubject);
   ...//do work
   //thread expires

I probably have all the details wrong but this idea should work.
If you use a thread from a thread pool (which I'd recommend) you  
should uninstall the security context when you are done with the thread.

hope this helps
david jencks

> -- 
> View this message in context:
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message