I have an application that uses Quartz for job scheduling started via servlet
QuartzInitializerServlet which is automatically started during server startup or
deployment and init(ServletConfig cfg) is called.
The problem is, when undeploying and deploying application from netbeans (which
is done under "admin" user using
org.apache.tools.ant.taskdefs.optional.sun.appserv.DeployTask via ant), the
init() method of servlet is executed under Principal "admin", and not under
"ANONYMOUS" as it is done when server is restarted. This creates problems
because then jobs run under different Principals depending on how was
application initialized (via server startup or redeployment).
When you call SecurityContext.getCurrent().getCallerPrincipal(); in init()
method of a servlet with <load-on-startup>1</load-on-startup> in web.xml, the
bug manifests itself.
I believe SecurityContext should be switched to default unathorized context when
initializing web application modules even when redeploying applications.
This problem was detected in Glassfish V2ur1. I haven't tested V2ur2.