EJBContext.getCallerPrinciple().getName() returns anonymous
I was trying out my app on JBoss 4.x today with mostly good results. I have had it working on various versions of 3.x but experienced a problem with calls to getCallerPrinciple() in both the 4.0.0 and 4.0.1 releases.
I'm using a run-as element in the struts servlet configuration in web.xml ...
<servlet> ... <run-as> <description> The servlet must run in the internal role. </description> <role-name>internal</role-name> </run-as> ... </servlet>
... and an entry in ejb-jar.xml to restrict access to all methods on my stateless session beans (facades) ...
<method-permission > <description><![CDATA[description not supported yet by ejbdoclet]]></description> <role-name>internal</role-name> <role-name>cms</role-name> <method > <description><![CDATA[description not supported yet by ejbdoclet]]></description> <ejb-name>MetadataManager</ejb-name> <method-name>*</method-name> </method> </method-permission>
On a couple of business methods on the session beans I need to call EJBContext.getCallerPrinciple().getName() to carry out different transactions depending on who's doing the asking. In v. 3.x this is all fine. In 4.x, I get "anymous" back. Removing the run-as entry in web.xml fixes the problem. What's particularly unintuitive about this is that there are no security exceptions thrown so it looks as if the container recognises the servlet as having the necessary permissions. Also, the entry in my login-config.xml specifies the user "nobody" as the unauthenticated principle name...
<module-option name="unauthenticatedIdentity">nobody</module-option>
It is almost as if the run-as directive is causing the caller's principle to be "masked".
Here is the complete snippet from login-config.xml...
<application-policy name = "alertingservice"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/DefaultDS</module-option> <module-option name="unauthenticatedIdentity">nobody</module-option> <module-option name="principalsQuery"> select password from XUser where username=? </module-option> <module-option name="rolesQuery"> select r.name, 'Roles' from role_users_user_roles ru, role r, xuser u where ru.user=u.id and ru.role=r.id and u.username = ? </module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">base64</module-option> </login-module> </authentication> </application-policy>
I can work around this issue but I was surprised by it - does it look familiar/explicable to anyone else? Would anyone like more info?
Tom
