use-caller-identity and permssions

irenekam Jan 31, 2002 2:45 PM

Hi all,

I have a session bean, in the deployment descriptor,
I have assigned the following:

<security-identity>
<use-caller-identity/>
</security-identity>

I also have one method within the session bean that
retrieves a list of files from the operating system. I
want this method to execute under the caller's identity.
When I login to the session bean using the id "caller1",
my println statement within that method says my principal
name is "caller1", which is correct. Same for "caller2",
etc.

The problem: I want the method to retrieve the list of
operating system files according to the read/write/exec
permissions as defined on that machine. So, for example,
if caller1 does not have permission to read file A, then
that method should return an exception.

However, even though the file permission does not give
caller1 permissions, caller1 can still read/write/exe
the file. So, the problem is, it seems like that
method is NOT executing as the caller's identity. But
rather, it's executing as the userid of the user that
started the JBoss server.

What am I doing wrong here? My goal is to get the
methods to do something according the the caller's
identity and permissions associated with the server's
operating system permissions.

I would appreciate any help! Thanks in advance!

1. Re: use-caller-identity and permssions

ahjulsta Jan 31, 2002 5:15 PM (in response to irenekam)

The "use-caller-identity" -tag relates to method invocations on other beans and managed resources(?). File system access from the session bean is not intercepted by the security infrastructure in JBoss.

And also, btw, file system access from beans is against the spec, you might want to do the file system access from a MBean of some sort. To accomplish what you want with regards to security, you'll probably have to do the mapping between principals and unix usernames yourself.

Åsmund Hjulstad
Actions