2 Replies Latest reply on Aug 29, 2010 8:42 AM by Kobi Ianko

    servlet run-as role

    Petr Matousek Newbie


      I use the 4.0.2 version of JBoss AS and try to solve following issue:

      I have a public servlet without any security constraints that needs to access secured EJBs. To solve such situation I defined a special security role and added it to the servlet by the <run-as> tag in the web.xml deployment descriptor:


      The corresponding jboss-web.xml role definition is:

      Following call to the HttpServletRequest method within servlet's code results in false so it seemed that run-as does not work:
      request.isUserInRole("catchit) == false
      request.getUserPrincipal() == null

      Ok, I thought that the role is added only to calls from servlet to the other components (in my case, to the EJB) so I tried to call to SessionContext method within my SessionBean code:
      sc.getCallerPrincipal() == SimplePrincipal("anonymous")

      but with the same result. The principal is not null any more but again does not have the role "catchit" assigned to the servlet by the run-as tag.

      The role "catchit" is defined within the assemby-descriptor of the ejb-jar.xml:

      My questions are:

      1. Is this solution applicable to the situation described at the beggining?
      2. If so, what I have done wrong?
      3. If not, can you point me to the right way?

      4. Maybe the trouble is that the secure EJBs are not protected by the <method-permissions> declarations within the <assembly-descriptor>, but I use some kind of explicit security checks within the EJBs methods code?

      Looking forward to your smart advices,