-
1. Re: Help with Security and MDB
adrian.brock Jun 24, 2003 7:09 AM (in response to zumbiehl)You can use <run-as> for the MDB
or do a jaas login before invoking the session bean
Regards,
Adrian -
2. Re: Help with Security and MDB
zumbiehl Jun 24, 2003 11:12 PM (in response to zumbiehl)Thanks for your reply,
I tried using <run-as> in the MDB, but it still complains about NULL principal when creating another session bean.
The only thing that helped was modifying the securityContext in login-config.xml as follows:
<module-option name="unauthenticatedIdentity">guest</module-option>
I still don't understand why the <run-as> doesn't work ...
cheers
christian -
3. Re: Help with Security and MDB
adrian.brock Jun 25, 2003 12:07 AM (in response to zumbiehl)<run-as> means run using this role
(authorization step)
Your unathenicated identity means "no principal"
can pass the authentication step.
Don't map the unathenticated identity to any
roles and you are ok.
Regards,
Adrian -
4. Re: Help with Security and MDB
zumbiehl Jun 25, 2003 2:51 AM (in response to zumbiehl)Thanks again for your help
christian -
5. Re: Help with Security and MDB
spohl Feb 5, 2004 4:45 AM (in response to zumbiehl)Somewhere I've read (maybe EJB-Spec.) that a container facing a run-as-role takes one of the users with this role as principal. WebLogic has an appserver specific setting "run-as-principal-name" (XDoclet tag: @weblogic.run-as-identity-principal) that allows to choose an user with the run-as-role manually if there are several.
So, shouldn't the setting of a run-as-role be enough since all J2EE security-settings are role-based!? But SecurityInterceptor throws already an exception if there is no user identity supplied and doesn't seem to set the principal to one of the users with that role.
Can this this be a feature request or am I wrong?
Regards Adrian & Zumbiehl,
S. Pohl -
6. Re: Help with Security and MDB
starksm64 Feb 5, 2004 10:35 AM (in response to zumbiehl)The spec does not define what role the run-as role should use as the caller identity, and in JBoss, if there is no caller identity you need to configure that an unauthenticated caller should be mapped to some anonymous principal.