6 Replies Latest reply on Mar 13, 2009 11:35 AM by wolfgangknauf

    Calling protected ejb method from anoter

    drfranknfurter

      I need some help on the following scenario:

      @RolesAllowed("role1")
      ejb1.secureMethod1

      @RolesAllowed("role2")
      ejb2.secureMethod2

      secureMethod2 has to be protected, but I have to call the method from ejb1. When I call it from ejb1 I want the container to ignore the security as the user possibly don't have the role. From a business point of view it is OK to call it from ejb1 without the role, but not from another place.

      I have tried AccessController.doPrivileged with no success. It seems I misunderstood it's purpose.

      I believe my security setup is correct as I am able to do this if the user has the required role, but fails if he doesn't.

      Can anybody point me in the right direction?
      Thank you in advance.

        • 1. Re: Calling protected ejb method from anoter
          wolfgangknauf

          Hi,

          would it help to add "role1" to the @RolesAllowed of EJB2?

          If not: you could take a look at the @RunAs annotation (ejb spec 17.3.4):

          Establishing a run-as identity for an enterprise bean does not affect the identities of its callers, which
          are the identities tested for permission to access the methods of the enterprise bean. The run-as identity
          establishes the identity the enterprise bean will use when it makes calls.


          Thus, your bean would make all calls to ejb2 as the role specified by "@RunAs", but it's own methods would require "role1".

          Hope this helps

          Wolfgang

          • 2. Re: Calling protected ejb method from anoter
            drfranknfurter

            Excellent, @RunAs suites my requirements perfectly.

            Thank you very much.

            • 3. Re: Calling protected ejb method from anoter
              drfranknfurter

              It seems I spoke a bit hastily.

              Although initial tests indicated that this should work, I can't get it to work. I think I misunderstood.

              Here is my scenario:

              Web tier calls EJB1 method which is protected. The user has the required role and all is well. EJB1 calls EJB2 which requires a different role. So I annotated EJB1 with @RunAs specifying the role required by EJB2.

              Unfortunately @RunAs only allows 1 role. This is not sufficient if EJB1 calls various other EJBs protected with various roles. What I tried to do to get around this was create a role, not ever assigned to a user, for this purpose specifically.
              @RunAs would always use this role and methods that are called from the Web tier AND the EJB tier gets this role added to its @RolesAllowed (in addition to the existing role required).
              Sounded like a good idea at the time... except for that it does not work.

              Even if the user has the original role required for the method call it fails. Which makes sense since the only role used to call the EJB is now the one specified with @RunAs, what I don't get is why is it not matching? I have the @RunAs role added to the @RolesAllowed?

              • 4. Re: Calling protected ejb method from anoter
                wolfgangknauf

                This sounds strange. Did you try to assign this role to a user? Can you call your EJB methods with this user?

                Could you post the relevant code snippets and the error message?

                Best regards

                Wolfgang

                • 5. Re: Calling protected ejb method from anoter
                  drfranknfurter

                  K, I am an idiot. Messed up the test. Our current project is required to run on both JBoss and Glassfish. It works as advertised on JBoss, Glassfish on the other hand ignores it like a traffic sign.

                  Thanks again for your help.

                  • 6. Re: Calling protected ejb method from anoter
                    wolfgangknauf

                    Nobody is perfect ;-).