6 Replies Latest reply on Feb 5, 2004 10:35 AM by Scott Stark

    Help with Security and MDB

    zumbiehl Newbie


      Could you please help me with a configuration problem with my MDB.

      I am running an MDB with a Container configuration linked to a security domain.

      when the MDB creates a Session Bean , I systematically get a security exception (Principal = null) even if I run the MDB with appropriate role in
      <run-as> in ejb-jar.

      My MDB and session beans use the same security domain.

      If I remove the container configuration in the session bean, every thing works fine.

      Is there a way to allow secured MDB invoking secured session beans ? or MDB can only invoke unsecured session beans ..

      Thanks for your help

        • 1. Re: Help with Security and MDB
          Adrian Brock Master

          You can use <run-as> for the MDB
          or do a jaas login before invoking the session bean


          • 2. Re: Help with Security and MDB
            zumbiehl Newbie

            Thanks for your reply,
            I tried using <run-as> in the MDB, but it still complains about NULL principal when creating another session bean.
            The only thing that helped was modifying the securityContext in login-config.xml as follows:

            <module-option name="unauthenticatedIdentity">guest</module-option>

            I still don't understand why the <run-as> doesn't work ...


            • 3. Re: Help with Security and MDB
              Adrian Brock Master

              <run-as> means run using this role
              (authorization step)

              Your unathenicated identity means "no principal"
              can pass the authentication step.

              Don't map the unathenticated identity to any
              roles and you are ok.


              • 4. Re: Help with Security and MDB
                zumbiehl Newbie

                Thanks again for your help

                • 5. Re: Help with Security and MDB
                  spohl Newbie

                  Somewhere I've read (maybe EJB-Spec.) that a container facing a run-as-role takes one of the users with this role as principal. WebLogic has an appserver specific setting "run-as-principal-name" (XDoclet tag: @weblogic.run-as-identity-principal) that allows to choose an user with the run-as-role manually if there are several.

                  So, shouldn't the setting of a run-as-role be enough since all J2EE security-settings are role-based!? But SecurityInterceptor throws already an exception if there is no user identity supplied and doesn't seem to set the principal to one of the users with that role.

                  Can this this be a feature request or am I wrong?

                  Regards Adrian & Zumbiehl,
                  S. Pohl

                  • 6. Re: Help with Security and MDB
                    Scott Stark Master

                    The spec does not define what role the run-as role should use as the caller identity, and in JBoss, if there is no caller identity you need to configure that an unauthenticated caller should be mapped to some anonymous principal.