4 Replies Latest reply on Jan 3, 2014 12:34 PM by rsoika

How to confgure @RunAs in WildFly?

rsoika Jan 2, 2014 8:14 AM

hi,

I have a EJB annotated with @RunAs:

@DeclareRoles({ "org.imixs.ACCESSLEVEL.MANAGERACCESS" })

@Stateless

@RunAs("org.imixs.ACCESSLEVEL.MANAGERACCESS")

public class SetupService {

...

}

A method of this EJB is called from a Startup Servlet (maybe this is a special issue?)

I got the error message:

13:54:20,370 ERROR [org.jboss.as.ejb3.invocation] (MSC service thread 1-8) JBAS014134: EJB Invocation failed on component SetupService for method public void org.imixs.marty.ejb.SetupService.init() throws org.imixs.workflow.exceptions.AccessDeniedException: javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.imixs.marty.ejb.SetupService.init() throws org.imixs.workflow.exceptions.AccessDeniedException of bean: SetupService is not allowed

at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:115) [wildfly-ejb3-8.0.0.CR1.jar:8.0.0.CR1]

I am not sure if I mix up two issues here (secured ejb and startup servlet)

My question is: What is necessary from the security configuration in WildFly to define the @RunAs annotation in my EJB?

I am migrating from GlassFish and there it was necessary to define a principal name to be used for the EJB method calls in the glassfish-ejb-jar.xml file.

Maybe I am missing an jboss equivalent descriptor? But I did not find an example.

thanks for help

======

Ralph

1. Re: How to confgure @RunAs in WildFly?

cfillot Jan 2, 2014 4:26 PM (in response to rsoika)

Hello,

I think you have to use @RolesAllowed(...) or @PermitAll on the init() method of your EJB.
Also, you have to define a security domain (which is "other" by default) in jboss-ejb.xml (or WEB-INF/jboss-web.xml for the webapp part)
1 of 1 people found this helpful
Actions
2. Re: Re: How to confgure @RunAs in WildFly?

rsoika Jan 3, 2014 8:19 AM (in response to cfillot)

Hi,
yes it looks like the jboss-ejb3.xml file was missing in my EJB module. After I added the jboss-ejb3.xml with the following content my application works!

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security:1.1"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
version="3.1" impl-version="2.0">

<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>other</s:security-domain>
<s:run-as-principal>manfred</s:run-as-principal>
<s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>
</s:security>
</assembly-descriptor>

</jboss:ejb-jar>

I am not sure if the run-as-principal is necessary here.?

But thanks for your hint!

====
Ralph
Actions
3. Re: How to confgure @RunAs in WildFly?

cfillot Jan 3, 2014 8:50 AM (in response to rsoika)

I don't think the "s:run-as-principal" is necessary for your case (it means your EJBs will run with a principal called "manfred")
This is the missing-method-permissions-deny-access which is important here: by default it is set to true, and this prevents access
to methods of a secured EJB which have no explicit security configuration (equivalent to an hidden @DenyAll annotation)

Securing EJBs - JBoss AS 7.2 - Project Documentation Editor
Actions
4. Re: How to confgure @RunAs in WildFly?

rsoika Jan 3, 2014 12:34 PM (in response to cfillot)

Thanks for help!
Actions

Go to original post