This discussion is archived
8 Replies Latest reply: Mar 14, 2013 12:23 AM by 996481 RSS

Security Problem when call EJB in servlet:[Security:090398]Invalid Subject

996481 Newbie
Currently Being Moderated
Hi guys,
I have several years experience with Java and EJB developing,but still I cann't explain this problem although I already knew the fix...
Please,can anyone help me to explain why? Thanks very much!
Ok,the problem is when I call a remote EJB in one method ,that is everything about EJB is in one method,then everything is ok.But when I just return the
*remote service object from an helper class's static method, and call the service in servlet ,then I get java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[sundan076],which sundan076 is username login into the web application.*
The right way, call method directCall(param) ; The wrong way, call  method staticToolCall(final Map param) .
-----
public class EJBServletClient extends HttpServlet
{
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
     {
          this.doPost(request, response);
     }

     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
               IOException
     {

          try
          {
               Map<String, String> param = new HashMap<String, String>();
               param.put("CTS_CUSTOMER_ID", request.getParameter("CTS_CUSTOMER_ID"));
               param.put("CTS_TASK_ID", request.getParameter("CTS_TASK_ID"));
               param.put("SERIALNO", request.getParameter("SERIALNO"));
               param.put("CUSTOMER_SERVICE_UM", request.getParameter("CUSTOMER_SERVICE_UM"));

               Map result = this.directCall(param);
               System.out.println(result);
          } catch (Exception e)
          {
               e.printStackTrace();
               throw new ServletException(e);
          }

     }

     private Map directCall(Map param) throws Exception
     {
          Context context = null;
          try
          {
               Properties p = new Properties();
               p.put(Context.PROVIDER_URL, "t3://10.25.32.13:31256");
               p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
               p.put(Context.SECURITY_PRINCIPAL, "username");
               p.put(Context.SECURITY_CREDENTIALS, "password");
               context = new InitialContext(p);
               BizApplyServiceHome home = (BizApplyServiceHome) PortableRemoteObject.narrow(
                         context.lookup("ejb/rcs-css/BizApplyService"), BizApplyServiceHome.class);
               BizApplyService bizApplyService = home.create();
               return bizApplyService.modifyApplyCustomerInfo(param);
          } finally
          {
               if (context != null)
               {
                    context.close();
               }
          }
     }

     private Map staticToolCall(final Map param) throws Exception
     {
          BizApplyService bizApplyService = EJBTool.getBizApplyService();
          return bizApplyService.modifyApplyCustomerInfo(param);
     }
}

public class EJBTool
{

     public static BizApplyService getBizApplyService() throws Exception
     {
          Context context = null;
          try
          {
               Properties p = new Properties();
               p.put(Context.PROVIDER_URL, "t3://10.25.32.13:31256");
               p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
               p.put(Context.SECURITY_PRINCIPAL, "username");
               p.put(Context.SECURITY_CREDENTIALS, "password");
               context = new InitialContext(p);
               BizApplyServiceHome home = (BizApplyServiceHome) PortableRemoteObject.narrow(
                         context.lookup("ejb/rcs-css/BizApplyService"), BizApplyServiceHome.class);
               return home.create();
          } finally
          {
               if (context != null)
               {
                    context.close();
               }
          }
     }

}

-----
java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[sundan076]
     at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
     at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
     at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
     at com.pingan.rcs.css.biz.service.remote.ejb.bizApplyService_u7jjbk_EOImpl_1032_WLStub.modifyApplyCustomerInfo(Unknown Source)
     at com.pingan.pafax.web.EJBServletClient.staticToolCall(EJBServletClient.java:80)
     at com.pingan.pafax.web.EJBServletClient.doPost(EJBServletClient.java:43)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[sundan076]
     at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:835)
     at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:524)
     at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:315)
     at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:875)
     at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:310)
     at weblogic.rmi.cluster.ClusterableServerRef.dispatch(ClusterableServerRef.java:242)
     at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:1138)
     at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:1020)
     at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:240)
     at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:882)
     at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMConnection.java:453)
     at weblogic.rjvm.t3.MuxableSocketT3.dispatch(MuxableSocketT3.java:322)
     at weblogic.socket.BaseAbstractMuxableSocket.dispatch(BaseAbstractMuxableSocket.java:298)
     at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:915)
     at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:854)
     at weblogic.socket.EPollSocketMuxer.dataReceived(EPollSocketMuxer.java:215)
     at weblogic.socket.EPollSocketMuxer.processSockets(EPollSocketMuxer.java:177)
     at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
     at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
     at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
     at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)

Edited by: 993478 on 2013-3-12 下午8:40
  • 1. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    r035198x Pro
    Currently Being Moderated
    Perhaps related to the solution you just provided in the caching handles thread:Caching Remote interface and initialContext causes [EJB:010160]Security
    So here try using the subject with weblogic.security.Security.runAs just to see if that resolves the problem.
  • 2. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    996481 Newbie
    Currently Being Moderated
    Well,I think this is not the same problem,because the code is executed in exactly one thread!
    I have to say "this is weird".As I know, the helper method just returned the reference of the remote interface.Whether being called inside or outside where the object is created,it's refer to the same object in jvm. So ,My question is what cause the difference?
  • 3. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    r035198x Pro
    Currently Being Moderated
    Would be easier if you try using the subject with weblogic.security.Security.runAs just to see if that resolves the problem first before we continue the speculation.
  • 4. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    996481 Newbie
    Currently Being Moderated
    Thanks for you suggestion!
    But in my code it's a one-time operation,there is no previously cached subject to make the weblogic.security.Security.runAs() call. And as I wrote,if I put all the EJB related code in one method, everything is ok. I know it's not good a design sytle,but I don't think it would cause any error!
    So, can anyone explain why these code cause the exception ?
  • 5. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    r035198x Pro
    Currently Being Moderated
    You can investigate if it's the context that's causing this by creating the context in your servlet doPost and passing it to the getBizApplyService method and see if the problem is still there.
  • 6. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    996481 Newbie
    Currently Being Moderated
    I tried your way,it works! Still ,does anyone know why staticToolCall() raised exception?

    By the way,here is the code as you suggested:
    -----
    public class EJBServletClient extends HttpServlet
    {
         protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
                   IOException
         {

              Context context = null;
              try
              {
                   Map<String, String> param = new HashMap<String, String>();
                   param.put("CTS_CUSTOMER_ID", request.getParameter("CTS_CUSTOMER_ID"));
                   param.put("CTS_TASK_ID", request.getParameter("CTS_TASK_ID"));
                   param.put("SERIALNO", request.getParameter("SERIALNO"));
                   param.put("CUSTOMER_SERVICE_UM", request.getParameter("CUSTOMER_SERVICE_UM"));

                   //Map result = this.staticToolCall(param);
                   
                   Properties p = new Properties();
                   p.put(Context.PROVIDER_URL, "t3://10.25.32.13:31256");
                   p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
                   p.put(Context.SECURITY_PRINCIPAL, "username");
                   p.put(Context.SECURITY_CREDENTIALS, "password");
                   context = new InitialContext(p);
                   Map result=EJBTool.modifyApplyCustomerInfo(context, param);
                   System.out.println(result);
              } catch (Exception e)
              {
                   e.printStackTrace();
                   throw new ServletException(e);
              }finally
              {
                   if (context != null)
                   {
                        try{context.close();} catch (NamingException e){e.printStackTrace();}
                   }
              }
         }
    }

    public class EJBTool
    {
         public static Map modifyApplyCustomerInfo(Context context, Map param) throws Exception
         {
              BizApplyServiceHome home = (BizApplyServiceHome) PortableRemoteObject.narrow(
                        context.lookup("ejb/rcs-css/BizApplyService"), BizApplyServiceHome.class);
              BizApplyService bizApplyService = home.create();
              Map result = bizApplyService.modifyApplyCustomerInfo(param);
              return result;
         }
    }
  • 7. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    r035198x Pro
    Currently Being Moderated
    Since JNDI context are not threadsafe the doPost is safe to create the context in while your other static class seems to be not.
  • 8. Re: Security Problem when call EJB in servlet:[Security:090398]Invalid Subject
    996481 Newbie
    Currently Being Moderated
    For thread safe,I agree with you! But in my case,I just ran these code on my own pc, I am sure no other people submit same page at the same time. And I also debuged into the code,the only thread accese these code is the one from the weblogic' Execute Thread Pool.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points