Thursday, January 3, 2013

Weblogic JNDI & Security Contexts

Quite often when using multiple services / ejbs from different internal teams we have run into weblogic context / security errors, we always deduced the issue was how Weblogic handles it's contexts, I finally found weblogics' explanations their documents:

JNDI Contexts and Threads

When you create a JNDI Context with a username and password, you associate a user with a thread. When the Context is created, the user is pushed onto the context stack associated with the thread. Before starting a new Context on the thread, you must close the first Context so that the first user is no longer associated with the thread. Otherwise, users are pushed down in the stack each time a new context created. This is not an efficient use of resources and may result in the incorrect user being returned by ctx.lookup() calls. This scenario is illustrated by the following steps:
  1. Create a Context (with username and credential) called ctx1 for user1. In the process of creating the context, user1 is associated with the thread and pushed onto the stack associated with the thread. The current user is now user1.
  2. Create a second Context (with username and credential) called ctx2 for user2. At this point, the thread has a stack of users associated with it. User2 is at the top of the stack and user1 is below it in the stack, so user2 is used is the current user.
  3. If you do a ctx1.lookup("abc") call, user2 is used as the identity rather than user1, because user2 is at the top of the stack. To get the expected result, which is to have ctx1.lookup("abc") call performed as user1, you need to do a ctx2.close() call. The ctx2.close() call removes user2 from the stack associated with the thread and so that a ctx1.lookup("abc") call now uses user1 as expected.
  4. Note: When the weblogic.jndi.enableDefaultUser flag is enabled, there are two situations where a close() call does not remove the current user from the stack and this can cause JNDI context problems. For information on how to avoid JNDI context problems, see How to Avoid Potential JNDI Context Problems.

How to Avoid Potential JNDI Context Problems

Issuing a close() call is usually as described in JNDI Contexts and Threads. However, the following is an exception to the expected behavior that occur when the weblogic.jndi.enableDefaultUser flag is enabled:
Last Used
When using IIOP, an exception to expected behavior arises when there is one Context on the stack and that Context is removed by a close(). The identity of the last context removed from the stack determines the current identity of the user. This scenario is described in the following steps:
  1. Create a Context (with username and credential) called ctx1 for user1. In the process of creating the context, user1 is associated with the thread and stored in the stack, that is, the current identity is set to user1.
  2. Do a ctx1.close() call.
  3. Do a ctx1.lookup()call. The current identity is user1.
  4. Create a Context (with username and credential) called ctx2 for user2. In the process of creating the context, user2 is associated with the thread and stored in the stack, that is, the current identity is set to user2.
  5. Do a ctx2.close() call.
  6. Do a ctx2.lookup()call. The current identity is user2.

Link to the source Weblogic Docs: Weblogic JNDI

3 comments:

Popular Posts

Followers