-
Type: Sub-task
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 5.4
-
Component/s: None
-
Upgrade notes:
something in EJB context relating to caller principal changed in JBoss5. And I don't know if this is a bug or if this is the normal behavior JEE. Anyway the current nuxeo login logic doesn't work in JBoss5. I spent a lot of time debugging this - especially because of jaas cache ( I forgot about it :'( ) - thanks thierry for the hint.
Here is what is happening:
- the login procedure works ok. When loging in from the web (through the auth. filter) all is working ok.
- Also the Framework.login works ok BUT when calling the getCallerPrincipal() on the EJBContext injected through @Resource annotation in DocumentManagerBean it returns the principal that originated the request (i.e. the caller) and not the authenticated principal.
I will explain in details what happens:
Lets say you make a Framework.login() (as a system user). The system principal is created by the runtime as a SystemID instance. Then the "system" login module chain is pushing this principal in a thread local variable used by JBOSS to get the current principal of a given thread.
When you make the first call to DocumentManagerBean JBOSS is getting this principal and validate it using the nuxeo-ecm login module chain. This means the NuxeoLoginModule will be called to validate the principal - BUT the nuxeo login module is returning the real principal (a SystemPrincipal instance) after the validation.
The JBoss4 EJBContext will return the validated principal (or let say authenticated principal) when you call EJBContext.getCallerPrincipal().
The JBoss5 EJBContext will return the principal used as the input of the authentication and not the one returned by NuxeoLoginModule.
In JBoss5 EJBContext we have a member named authenticatedSubject (which is the principal returned by out login module) and a getIndentities() (a set of principals) which contains the originating principal (i.e. the SystemID principal).
When calling getCallerPrincipal() instead of returning the authenticated principal JBoss5 returns a principal from the indentities set.
To fix this I will add a CallerPrincipalProvider that will be called to get the principal by the DocumentManagerBean when the principal retrieved from the EJBContext is not a NuxeoPrincipal.
Then in nuxeo-platform-jboss-login I will add an implementation of a CallerPrincipalProvider that use JBoss API to get the real authenticated user.
This instance can be configured through a system or runtime property as follows:
org.nuxeo.ecm.core.api.CallerPrincipalProvider=org.nuxeo.platform.login.jboss.JBoss5CallerPrincipalProvider
This problem is may be related to:
https://jira.jboss.org/browse/EJBTHREE-1756
http://community.jboss.org/wiki/UsingCustomPrincpalsWith
http://community.jboss.org/message/531986#531986