3 Replies Latest reply on Nov 30, 2010 4:59 PM by smith.gerry

AS4, AS5 and run-as

smith.gerry Nov 28, 2010 12:30 AM

A guest (unauthenticated entity) accesses an unchecked session bean (SB1) which has runas=myrole.

SB1 calls another session bean SB2 which requires myrole.

SB2 calls a method on an entity bean which also requires myrole.

In AS 4, this works.

In AS 5.1, this throws a security exception because SB2 is not running as myrole.

I think AS 5.0 did the same when tested some time ago.

Is this a bug or intended ?

is there a workaround ?

In AS 6, does the runas role propogate through the calls as in AS 4, or not as in AS 5.1 ?

Many thanks,

Gerry

1. Re: AS4, AS5 and run-as

smith.gerry Nov 28, 2010 11:53 PM (in response to smith.gerry)

It looks like AS 6 does the same as AS 5.
I tried posting this on jira but it doesn't accept my username/password.
Actions
2. Re: AS4, AS5 and run-as

wolfgangknauf Nov 30, 2010 1:15 PM (in response to smith.gerry)

Is this the same as this issue: https://jira.jboss.org/browse/EJBTHREE-1945

Do you use EJB2.1 or EJB3?

Note that I cannot provide you with much more help, but I remembered having read about other issues with "RunAs" and asked a search engine for it ;-).

Best regards

Wolfgang
Actions
3. Re: AS4, AS5 and run-as

smith.gerry Nov 30, 2010 4:59 PM (in response to wolfgangknauf)

Hi Wolfgang,

Yes that seems to be the same issue, thanks for finding it.

I'm using EJB 2.1 - I'm stuck on AS4 unless this gets resolved or I refactor a lot of code so that an unidentified entity will never call a session bean which calls another session bean. I'm working on getting Infinispan working on AS4 at the moment..

Gerry
Actions