Security propagation from Servlet to EJB

weberj Feb 4, 2013 10:42 AM

Hi,

I tried security propagation from a Servlet to an EJB. The bean is injected, the call to the EJB works. The servlet is secured, request.getRemoteUser() gives the correct user.

But in the EJB I get

callerPrincipal: anonymous

Corresponding to the Java EE 6 tutorial, the user should be propagated by default:

"By default, the identity of the caller of the intermediate component is propagated to the target enterprise bean"

http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyr

How do you make that work with JBoss 7.1 ?

Thanks,

Juergen

1. Re: Security propagation from Servlet to EJB

jaikiran Feb 4, 2013 11:11 AM (in response to weberj)

Is your EJB secured? What does it look like?
Actions
2. Re: Security propagation from Servlet to EJB

weberj Feb 5, 2013 9:56 AM (in response to jaikiran)

The bean method is secured, with @RolesAllowed
Also the bean has a
jboss-ejb3.xml
with
<assembly-descriptor>
        <sec:security>
            <ejb-name>*</ejb-name>
            <sec:security-domain>other</sec:security-domain>
        </sec:security>
    </assembly-descriptor>
Actions

Go to original post