2 Replies Latest reply on Jul 26, 2015 8:22 AM by jewellgm

    WildFly 9.0.0.Final not honoring @RunAs?

    jewellgm
    jewellgm Jul 23, 2015 2:16 PM

      Hello,

       

      I've got an application that utilizes the @RunAs annotation to invoke stateless EJB methods that require authentication.  In JBoss 7.1.1 and pre-release versions of WildFly 9, this worked without issue.  With the final release of 9, however, the method calls are blocked with the following error message:

       

      WFLYEJB0364: Invocation on method: ... of bean: InvokerBean is not allowed.

       

      The InvokerBean is looked up by a non-bean using the InitialContext.lookup methodology.  InvokerBean is annotated with @RunAs("AUTHENTICATED_USER") and @SecurityDomain("SAMPLE").  The bean that's being invoked is acquired via injection oin the InvokerBean, and is annotated at the class level with @SecurityDomain("SAMPLE") and at the method level with @RolesAllowed("AUTHENITCATED_USER").

       

      Can anybody confirm this, or do I need to do something additional with WF9?

      • 498 Views
      • Tags:
        • 1. Re: WildFly 9.0.0.Final not honoring @RunAs?
          jaikiran
          jaikiran Jul 23, 2015 11:54 PM (in response to jewellgm)

          Greg Jewell wrote:

           


          The InvokerBean is looked up by a non-bean using the InitialContext.lookup methodology.  InvokerBean is annotated with @RunAs("AUTHENTICATED_USER") and @SecurityDomain("SAMPLE").  The bean that's being invoked is acquired via injection oin the InvokerBean, and is annotated at the class level with @SecurityDomain("SAMPLE") and at the method level with @RolesAllowed("AUTHENITCATED_USER").

           

          Can anybody confirm this, or do I need to do something additional with WF9?

          What you have there should be good enough. I don't see anything obviously wrong or missing. Can you add the exact exception stacktrace and the bean code? Perhaps attach a reproducible application too.

            • Actions
          • 2. Re: WildFly 9.0.0.Final not honoring @RunAs?
            jewellgm
            jewellgm Jul 26, 2015 8:22 AM (in response to jaikiran)

            I'm sorry -- I was given incorrect information.  This was an area of the code that I don't have the ability to test because it deals with an external system that I don't have access to.  The code did not work on WF9 CR2, either.

             

            The exception wasn't being thrown when the InvokerBean with the @RunAs annotation was trying to invoke another gated EJB, but when the POJO was trying to call a method on the InvokerBean.  Since InvokerBean was also annotated with @SecurityDomain, it needed to be invoked by a valid user.  In AS7, the default access was @PermitAll if something wasn't explicitly labeled with permissions.  In WF8, the default changed to @DenyAll.  I made the appropriate code changes, and things started working again.

             

            Sorry about the false alarm -- I should have checked into this more closely.

              • Actions