Here is the background:

We need develop a runas API on JBoss, which accepts a  user name as input:

SubjectSecurity.executeAs(String username,  PrivilegedAction<T>action);

There is no such API on JBoss so we decide to create  it ourselves.

In the method above, we construct a JBoss subject  based on the user name, create a new security context and set it as  current security context, and save the subject in current security  context.

Now comes the problem: on accessing a secure ejb from  the passed in PrivilegedAction object, authorization fails. I specified  role mapping in jboss.xml (see  http://community.jboss.org/wiki/MappingRolesinJBossApplicationServerv5x)  and the role was granted to access the ejb in ejb-jar.xml.

I checked JBoss's source code. On accessing ejb,  before authorization, JBoss will validate current security context  first. The security context is validated like this:

isValid =  validate current security context using current identity trust manager;

if (!isValid) {

   invoke JAAS login(principal from  current security context, credential from current security context);

}

For ejbs, current identity trust manager is always  null because by default the IdentityTrust feature is disabled in  JNDIBasedSecurityManagement. So isValid is false. There is no credential  in current security context, and so JAAS login fails, too.

I have two approaches:

approach 1: implement a custom identity trust module to validate  the security context

approach 2: save the credential in the security context

Approach 2 is simpler. However, as there is no  credential/password from the user's input, I need fetching credential  from identity stores (usually LDAP servers). For some types of LDAP  servers, fetching users' credentials is forbidden.

So approach 1 is the only choice.

Now the problem is the IdentityTrust feature is  disabled by default in JNDIBasedSecurityManagement which is used in ejbs  and it looks to me there is no way to enable it.