cancel
Showing results for 
Search instead for 
Did you mean: 

javax.ejb.SessionContext getCallerPrincipal() returns 'Guest'

Former Member
0 Kudos

hello,

i am running j2ee 620 sp16 (61200.20) on windows. my EAR is deployed ok, which contains among other things, a stateless session bean (container managed) and a web app.

the web app uses FORM based login, the form is implemented as a jsp file. most url's to my web app are protected through security role. there is no custom login module. so the default inqmy login module is used.

my web app does some user mgmt as well and requires users to exist in another propriatory database. so what i did is to create the users in sap engine's user store under the same id. my app simply checks that the authenticated user passed through the sap engine matches one of the existing users.

when accessing my web app, my login form is correctly displayed. when entering an invalid user/pwd, it correctly complains. but when entering a correct user/pwd, my app can't find a matching user in its own db.

i stepped through the code by means of remote debugging in eclipse and found something rather strange and disturbing:

in my servlet code, it accesses the stateless session bean and gets the logged in user by calling SessionContext.getCallerPrincipal(). the first call correctly returns the user id i typed in the login jsp form. but any subsequent call returns 'Guest'.

how did this happen? why does the subsequent calls to the ejb assume the identity of 'Guest'? does it have anything to do with security roles and resources, permissions etc? if so, how should i set them?

this same web app used to work fine, including the login, under a lower patch level of j2ee 620 (45486.20). also, it works under the sneak preview version of WAS 640. so what has changed in 620 sp16?

many thanks in advance and best regards.

wentao

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

I'm getting exactly the same problem, but in SP15. It seems that in all our applications EJBs getCallerPrinciple() always returns "Guest".

It's possible that it's not every single call that wrong, and that the first is correct (as per the comment above); I haven't been able to confirm this yet.

Did anyone find a fix/workaround for this?

Former Member
0 Kudos

Hi Wentao,

I did the same test with 6.4 SP6 (which I think is being used only internally and getCallerPrincipal() returns the correct username even "inside" ejbs.

What I can't make work is the context.isCallerInRole("ROLE").. this works in the Web Application, but the roles are not being passed to the ejbs...

Regards

Dov

Former Member
0 Kudos

hello Benny and Dov,

thanks for your replies. yes, this appears to be a bug in 620 sp16. one more thing to note: on 620sp16, i have the cluster version even though it is a central instance with just one server. on 620 version 45486.20, i have the stand-alone version. not clear whether it makes much difference. i am trying to get an updated version of the stand-alone server and see.

on 640 sneak preview version, calls to getCallerPrincipal() always returns the correct authenticated user. i haven't tried to use isCallerInRole() yet inside either web app or ejb. i wonder if it has to do with the security-role settings for the ejb. i will give it a try and report back. it may take a while though.

thanks and regards,

wentao

Benny
Product and Topic Expert
Product and Topic Expert
0 Kudos

This seems to be a case for support. Please issue an OSS message.