We are experiencing the same thing. Have you found an answer?

Seeing same behaviour in an implementation. Looks like a bug in JBoss5, bacause I cannot see the idea behind this behaviour. Can anyone do a bug report?

Regards,
Michael

Created issue https://jira.jboss.org/jira/browse/EJBTHREE-1945

I've added a test in the EJB 3 testsuite, see http://anonsvn.jboss.org/repos/jbossas/projects/ejb3/trunk/testsuite/src/test/java/org/jboss/ejb3/test/ejbthree1945/. It passes against AS trunk. Please take a look at the code and see if I've got the test correctly coded.

Hi Carlo

I have attached an archive to https://jira.jboss.org/browse/EJBTHREE-1945, which contains an small example of this kind of failure...

Please note that I haven't use any JBoss specific @annotation, however, even if I use them the error still persists

Hi Thomas,

Point what you are talking about is true. Its a sort of bug i think.

For this u need to add in ur login-config.xml file (where u have specified ur authentication policy ) along with ClientLoginModule.

This whole application can be seen in here on this link

http://community.jboss.org/message/555342#555342

Also u can see the security faq in jboss community on this link ofr some details

http://community.jboss.org/wiki/SecurityFAQ

Regards,

The ClientLoginModule should not be added to the same policy as is used to secure the actual application, doing so can cause unexpected results especially where a RunAs identity is involved.

Hi,

I found an explanation in Ejb3AuthenticationInterceptorv2 (jboss-ejb3-core 1.1.5). First call, when the security context is populated the "to" IncomingRunAs is set with the "from" OutgoingRunAs :

  private void populateSecurityContext(SecurityContext to, SecurityContext from)
  {
    SecurityActions.setSubjectInfo(to, from.getSubjectInfo());
    SecurityActions.setIncomingRunAs(to, from.getOutgoingRunAs());
  }

Second call the "from" OutgoingRunAs is now empty or null and the "to" IncomingRunAs is set to empty or null. The caller is not anymore trusted :

boolean trustedCaller = (hasIncomingRunAsIdentity(sc)) || (helper.isTrusted());

The following exception is thrown :

throw new EJBAccessException("Invalid User");

My work around is to populate the "to" SecurityContext with either the "from" OutgoingRunAs or the "from" IncomingRunAs.

I use the following code to set my "run-as" identity :

securityContext.setOutgoingRunAs(runAs)

(I was using SecurityAssociation.pushRunAsIdentity() but I think there's a memory leak because the pop() is never call on the threadRunAsStacks).

Then I call my bean annotated with @SecurityDomain(value="A") which call a second bean annotated with @SecurityDomain(value="A") which call a third bean annotated with @SecurityDomain(value="C") which....

Without my work around I can only call the first bean... then when the second bean is called an EJBAccessException is thrown.

I'm not sure this is the right way to fix the propagation issue but it's working

Guillaume.

Carlo de Wolf a écrit:

 

I've added a test in the EJB 3 testsuite, see http://anonsvn.jboss.org/repos/jbossas/projects/ejb3/trunk/testsuite/src/test/java/org/jboss/ejb3/test/ejbthree1945/. It passes against AS trunk. Please take a look at the code and see if I've got the test correctly coded.

I may be wrong but in your test Caller and CallerWithIdentity use StatelessBBean instead of StatelessABean.

Guillaume.

We have the same problem porting from JBoss 4.2.3 to JBoss 5.1.0. I agree that the test needs to use StatelessABean to test the propagation.