In EAP6 InitialContext caches security info for each endpoint.name
Issue
-
In EAP6 once an EJB authentication is successful using the scoped client context mechanism then for the next invocations even if the wrong credentials are passed still it uses the previous credentials. Which causes second user as well to have access to the EJB methods even with the invalid users credentials.
-
Following is the
"getInitialContext"method code which is executed every time when a new user wants to get an InitialContext.
private Context getInitialContext(String host, String port, String username, String password) {
InitialContext context = null;
try {
Properties props = new Properties();
props.put("endpoint.name", "AnyGoodNameEndpoint");
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
props.put("org.jboss.ejb.client.scoped.context", true);
props.put("remote.connections", "A");
props.put("remote.connection.A.port", port);
props.put("remote.connection.A.host", host);
props.put("remote.connection.A.username",username);
props.put("remote.connection.A.password", password);
props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED","false");
props.put("remote.connection.A.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT","false");
context=new InitialContext(props);
} catch (NamingException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return context;
}
- The
"org.jboss.ejb.client.scoped.context"is used on the code. So that from the same code different EJBs deployed on different JBoss instances can be accessed.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.1.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
