Hi

I have some additional info, maybe anybody has a clue what I don't see.

I went through all interceptors when invoking a method on the EJB.

I have an authenticated subject, a valid runAsIdentity consisting of princpal and role.

I saw that "SecurityActions.pushRunAsIdentity(runAsIdentity);" pushed the correct runAsIdendity assembled from ejb-jar.xml and jboss.xml

-With the SessionContext in the Ejb I can successfully call

     context.getCallerPrincipal()

and get a valid Principal back as defined in RunAs.

-SecurityRoleRefMetaData.getRoleName() called by EnterpriseContext returns the correct roleName.

But SecurityActions.getContextSubject() returns NULL

Does anybody have a clue what I can do?

Thanks for helping

Hubert

Updated

Hi,

When I do a IsCallerInRole("role") it calls

SubjectPolicyContextHandler.getAuthenticatedSubject();  which returns NULL

SecurityContext.getIncomingRunsAs() also returns null

I do not understand this, since I explicitly do a login before creating / calling the EJB.

This is my l appliaction-policy:

<application-policy name="MyRealm">
        <authentication>
            <login-module code="ch.abacus.flow.jboss.security.auth.SystemLogingModule" flag="required"/>
            <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
        </authentication>
  </application-policy>

The EJB 2.0 runs in MyRealm, and both login-module succeed.

Still hope for any hints.

Thank you

Ok, I think I isolated the problem.

SecurityActions.popSubjectContext() is called after every call and  an authenticated subject is pushed before every call.

So when I arrive at my ejb method, the context is good and   context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view  (BYPASS_SECURITY). When calling these EJB's the authenticated subject  is set to NULL and left to NULL.
After return of these EJB calls the authenticated subject is still  null and that's why my further context.isCallerInRole() from my current EJB fail.

Does anybody have an idea how to work arround this?

Thank you
Hubert

Ok, I fixed my problem.

As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.

I edited the corresponding jboss.xml and added a

   1. <security-domain>java:/jaas/EjbRealm</security-domain>

In login-config.xml I added:

   1.     <application-policy name="EjbRealm"> 
   2.         <authentication> 
   3.             <login-module code="org.jboss.security.ClientLoginModule" flag="required"> 
   4.                 <module-option name="restore-login-identity">true</module-option> 
   5.             </login-module> 
   6.         </authentication> 
   7.     </application-policy>

note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.

Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.

Hope this help others.
Hubert