This content has been marked as final.
Show 3 replies
-
1. Re: @RunAs doesn't work in JBossAS 4.2.3?
alrubinger Apr 11, 2009 2:18 PM (in response to amcdowell)Definitely give it a spin on AS 5.0.1.GA or 5.1.0.Beta1; we've got integration tests for this kind of thing. If it turns out you've still got a problem we'll look into either 1) Fixing your config or 2) Addressing a gap in our test coverage / possible bug.
S,
ALR -
2. Re: @RunAs doesn't work in JBossAS 4.2.3?
jaikiran Apr 12, 2009 3:57 AM (in response to amcdowell)In addition to what Andrew said -
From what i remember, the @RunAs comes into picture only when you have secured the bean with a @SecurityDomain. Something like:@Stateless @TransactionManagement(TransactionManagementType.CONTAINER) @Remote(TestSessionBean.class) @Local(TestSessionBean.class) @RunAs("testRole") @SecurityDomain("other") public class TestSessionBeanImpl implements TestSessionBean {
P.S: Remember to use the @SecurityDomain from the correct package. The package names are different in 4.x and 5.x of AS. -
3. Re: @RunAs doesn't work in JBossAS 4.2.3?
amcdowell Apr 16, 2009 3:18 PM (in response to amcdowell)I researched this a little more. My example above is actually wrong. I tried to simplify my actual problem, and simplified it too far.
According to EJB 3.0 Section 17.2.5.2:
Note that isCallerInRole(String roleName) tests the principal that represents the
caller of the enterprise bean, not the principal that corresponds to the run-as security identity
for the bean, if any.
So my above example will never print true in a compliant container.
However my real problem is actually the more complex example (properly using RunAs):public interface CalleeSessionBean { public void execute(); }
@Stateless @TransactionManagement(TransactionManagementType.CONTAINER) @Remote(CalleeSessionBean.class) @Local(CalleeSessionBean.class) public class CalleeSessionBeanImpl implements CalleeSessionBean { @Resource private SessionContext context; public void execute() { System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName()); System.out.println("CallerInRole(testRole): " + context.isCallerInRole("CallerRole")); } }
public interface CallerSessionBean { public void execute(); }
@Stateless @TransactionManagement(TransactionManagementType.CONTAINER) @Remote(CallerSessionBean.class) @Local(CallerSessionBean.class) @RunAs("CallerRole") public class CallerSessionBeanImpl implements CallerSessionBean { @Resource private SessionContext context; public void execute() { InitialContext initialContext = new InitialContext(); CalleeSessionBean callee = initialContext.lookup("CalleeSessionBean/local"); callee.execute(); } }
In this case, the Callee still prints false, despite the fact it should have aquired the RunAs CallerRole.
I traced through the code and the problem is due to https://jira.jboss.org/jira/browse/EJBTHREE-741, a defect in the RunAsSecurityInterceptor. Even though the issue claims it was applied to AS 4.2.0, it does not appear to be. It is however applied to the 5.0.0+ branches.
Bottom Line: the answer to my own question is: The @RunAs EJB 3.0 annotation is broken in the 4.2.x branches, but does work correctly in the 5.x branches.