3 Replies Latest reply on Apr 16, 2009 3:18 PM by Andrew McDowell

    @RunAs doesn't work in JBossAS 4.2.3?

    Andrew McDowell Newbie

      I'm trying to convert some our session beans to EJB 3.0 prior to an AS 5.0 upgrade, and we use JAAS heavily in our server.

      When I have the code:

      public interface TestSessionBean {
       public void execute();
      }


      @Stateless
      @TransactionManagement(TransactionManagementType.CONTAINER)
      @Remote(TestSessionBean.class)
      @Local(TestSessionBean.class)
      @RunAs("testRole")
      public class TestSessionBeanImpl implements TestSessionBean {
       @Resource
       private SessionContext context;
      
       public void execute() {
       System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName());
       System.out.println("CallerInRole(testRole): " + context.isCallerInRole("testRole"));
       }
      }


      The bean is deployed correctly and can be invoked, but it prints "false", the caller is not in the "testRole", despite the RunAs annotation.

      When I look through the 4.2.3 code, it looks like their may be a fence-post problem in org.jboss.security.SecurityAssociation$RunAsThreadLocalStack.peek() (Line 686), because the "testRole" RunAsIdentity is in the stack at the [1] position, null is at the [0] position, and it only looks at [0] and then exits because the depth is now 2.

      Is this to correct behavior? Did something change about RunAs for EJB 3.0?

      A similar configuration in an assembly descriptor granted the role to the bean it was defined for in the EJB 2.x version.

      I also looked in JIRA and didn't see a bug directly about this problem. I may try a preemptive upgrade to 5.0 and just see if the problem is resolved there.

      -Andrew

        • 1. Re: @RunAs doesn't work in JBossAS 4.2.3?
          Andrew Rubinger Master

          Definitely give it a spin on AS 5.0.1.GA or 5.1.0.Beta1; we've got integration tests for this kind of thing. If it turns out you've still got a problem we'll look into either 1) Fixing your config or 2) Addressing a gap in our test coverage / possible bug.

          S,
          ALR

          • 2. Re: @RunAs doesn't work in JBossAS 4.2.3?
            jaikiran pai Master

            In addition to what Andrew said -

            From what i remember, the @RunAs comes into picture only when you have secured the bean with a @SecurityDomain. Something like:

            @Stateless
            @TransactionManagement(TransactionManagementType.CONTAINER)
            @Remote(TestSessionBean.class)
            @Local(TestSessionBean.class)
            @RunAs("testRole")
            @SecurityDomain("other")
            public class TestSessionBeanImpl implements TestSessionBean {
            


            P.S: Remember to use the @SecurityDomain from the correct package. The package names are different in 4.x and 5.x of AS.


            • 3. Re: @RunAs doesn't work in JBossAS 4.2.3?
              Andrew McDowell Newbie

              I researched this a little more. My example above is actually wrong. I tried to simplify my actual problem, and simplified it too far.

              According to EJB 3.0 Section 17.2.5.2:


              Note that isCallerInRole(String roleName) tests the principal that represents the
              caller of the enterprise bean, not the principal that corresponds to the run-as security identity
              for the bean, if any.


              So my above example will never print true in a compliant container.

              However my real problem is actually the more complex example (properly using RunAs):

              public interface CalleeSessionBean {
               public void execute();
              }
              


              @Stateless
              @TransactionManagement(TransactionManagementType.CONTAINER)
              @Remote(CalleeSessionBean.class)
              @Local(CalleeSessionBean.class)
              public class CalleeSessionBeanImpl implements CalleeSessionBean {
               @Resource
               private SessionContext context;
              
               public void execute() {
               System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName());
               System.out.println("CallerInRole(testRole): " + context.isCallerInRole("CallerRole"));
               }
              }
              


              public interface CallerSessionBean {
               public void execute();
              }
              



              @Stateless
              @TransactionManagement(TransactionManagementType.CONTAINER)
              @Remote(CallerSessionBean.class)
              @Local(CallerSessionBean.class)
              @RunAs("CallerRole")
              public class CallerSessionBeanImpl implements CallerSessionBean {
               @Resource
               private SessionContext context;
              
               public void execute() {
               InitialContext initialContext = new InitialContext();
               CalleeSessionBean callee = initialContext.lookup("CalleeSessionBean/local");
               callee.execute();
               }
              }
              


              In this case, the Callee still prints false, despite the fact it should have aquired the RunAs CallerRole.

              I traced through the code and the problem is due to https://jira.jboss.org/jira/browse/EJBTHREE-741, a defect in the RunAsSecurityInterceptor. Even though the issue claims it was applied to AS 4.2.0, it does not appear to be. It is however applied to the 5.0.0+ branches.

              Bottom Line: the answer to my own question is: The @RunAs EJB 3.0 annotation is broken in the 4.2.x branches, but does work correctly in the 5.x branches.