users@glassfish.java.net

Re: "Security context" not propagated to Interceptors?

From: <glassfish_at_javadesktop.org>
Date: Sun, 16 Nov 2008 02:54:05 PST

Hi again.
I changed my source code to do the following:
1. the servlet invokes GreeterBean
    2. the bean has an interceptor, so it is invoked first, and isCallerInRole("szczyp") returns false, even though I logged in as "szczyp" and need this role to access the servlet and ejb in the first place
    3. then the bean itself is invoked, and isCallerInRole("szczyp") returns true, as expected
    4. then, the invoked bean calls another injected bean (GreeterBean2 instance)
        5. GreeterBean2 has the same interceptor as GreeterBean, and this time isCallerInRole("szczyp") returns true!

I repeat the call from the servlet, to make sure it behaves like this the first and more times when invoked. So the result is: when the interceptor is called before a bean called directly from a servlet, the isCallerInRole() test fails. When it is called from a bean that was called from another bean, it works as expected.

So, I downloaded the sources for glassfish, and did some debugging. I enclose the result for isCallerInRole() for the interceptor called from the servlet in this post, please see the attached files.

What I noticed is this:

there is a class "com.sun.enterprise.security.provider.BasePolicyWrapper"
and deep into isCallerInRole() the doImplies(ProtectionDomain, Permission) method of the mentioned class is invoked - line 378 of BasePolicyWrapper.java
Within this method, the Permission parameter is of type "javax.security.jacc.EJBRoleRefPermission", for bean GreeterBean, role szczyp
and some variables are initialized to perform the check:
* contextId of the invocation, which is set to "TestEAR/TestWeb_war"
* PolicyConfigurationImpl, with a property which is the URL to a policy file it reads, and this points to the incorrect one I think: "file:/home/rafal/Apps/glassfish-v2/domains/szczypior.eu/generated/policy/TestEAR/TestWeb_war/granted.policy"
So as a result the Policy object has permissions that reflect the policy file for web module (WebRoleRefPermissions for the servlets and jsp and so on), and is looking for EJBRoleRefPermission, fails, and returns false.

When I follow the same path for the bean itself, or the same interceptor, but when a bean is called from another bean, the contextId is "TestEAR/TestEJB_jar", and the URL to the policy file are set to "file:/home/rafal/Apps/glassfish-v2/domains/szczypior.eu/generated/policy/TestEAR/TestEJB_jar/granted.policy", and the isCallerInRole() returns true, as the requested permission can be found there.

So, is this a bug of glassfish, or is it valid behaviour I am experiencing?

To give more information, I am running Glassfish 2 update 2 on Sun Java 6 update 10, on 64bit Kubuntu 8.04.

Please take a look at the files I attached to this post. These contain the source for the web, ejb and ear, and also a TestEAR,ear file to deploy and run.
[Message sent by forum member 'szczyp' (szczyp)]

http://forums.java.net/jive/thread.jspa?messageID=316972