Here is the background:

We need develop a runas API on JBoss, which  accepts a  user name as input:

SubjectSecurity.executeAs(String  username,  PrivilegedAction<T>action);

There is no such API on JBoss  so we decide to create  it ourselves.

In the method above, we construct a  JBoss subject  based on the user name, create a new security context and  set it as  current security context, and save the subject in current  security  context.

Now comes the problem: on accessing a secure ejb  from  the passed in PrivilegedAction object, authorization fails. I  specified  role mapping in jboss.xml (see  http://community.jboss.org/wiki/MappingRolesinJBossApplicationServerv5x)   and the role was granted to access the ejb in ejb-jar.xml.

I checked  JBoss's source code. On accessing ejb,  before authorization, JBoss will  validate current security context  first. The security context is  validated like this:

isValid =  validate current security context  using current identity trust manager;

if (!isValid) {

    invoke JAAS login(principal from  current security context, credential  from current security context);

}

For ejbs, current identity trust  manager is always  null because by default the IdentityTrust feature is  disabled in  JNDIBasedSecurityManagement. So isValid is false. There is  no credential  in current security context, and so JAAS login fails,  too.

I  have two approaches:

approach 1: implement a custom identity  trust module to validate  the security context

approach 2: save  the credential in the security context

Approach 2 is simpler. However, as  there is no  credential/password from the user's input, I need fetching  credential  from identity stores (usually LDAP servers). For some types  of LDAP  servers, fetching users' credentials is forbidden.

So approach 1  is the only choice.

Now the problem is the IdentityTrust feature is  disabled  by default in JNDIBasedSecurityManagement which is used in ejbs  and it  looks to me there is no way to enable it.