3 Replies Latest reply on Apr 16, 2009 3:18 PM by amcdowell

    @RunAs doesn't work in JBossAS 4.2.3?

    amcdowell Apr 10, 2009 6:10 PM

      I'm trying to convert some our session beans to EJB 3.0 prior to an AS 5.0 upgrade, and we use JAAS heavily in our server.

      When I have the code:

      public interface TestSessionBean {
 public void execute();
}


      @Stateless
@TransactionManagement(TransactionManagementType.CONTAINER)
@Remote(TestSessionBean.class)
@Local(TestSessionBean.class)
@RunAs("testRole")
public class TestSessionBeanImpl implements TestSessionBean {
 @Resource
 private SessionContext context;

 public void execute() {
 System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName());
 System.out.println("CallerInRole(testRole): " + context.isCallerInRole("testRole"));
 }
}


      The bean is deployed correctly and can be invoked, but it prints "false", the caller is not in the "testRole", despite the RunAs annotation.

      When I look through the 4.2.3 code, it looks like their may be a fence-post problem in org.jboss.security.SecurityAssociation$RunAsThreadLocalStack.peek() (Line 686), because the "testRole" RunAsIdentity is in the stack at the [1] position, null is at the [0] position, and it only looks at [0] and then exits because the depth is now 2.

      Is this to correct behavior? Did something change about RunAs for EJB 3.0?

      A similar configuration in an assembly descriptor granted the role to the bean it was defined for in the EJB 2.x version.

      I also looked in JIRA and didn't see a bug directly about this problem. I may try a preemptive upgrade to 5.0 and just see if the problem is resolved there.

      -Andrew

      • 1325 Views
      • Tags:
        • 1. Re: @RunAs doesn't work in JBossAS 4.2.3?
          alrubinger
          alrubinger Apr 11, 2009 2:18 PM (in response to amcdowell)

          Definitely give it a spin on AS 5.0.1.GA or 5.1.0.Beta1; we've got integration tests for this kind of thing. If it turns out you've still got a problem we'll look into either 1) Fixing your config or 2) Addressing a gap in our test coverage / possible bug.

          S,
          ALR

            • Actions
          • 2. Re: @RunAs doesn't work in JBossAS 4.2.3?
            jaikiran
            jaikiran Apr 12, 2009 3:57 AM (in response to amcdowell)

            In addition to what Andrew said -

            From what i remember, the @RunAs comes into picture only when you have secured the bean with a @SecurityDomain. Something like:

            @Stateless
@TransactionManagement(TransactionManagementType.CONTAINER)
@Remote(TestSessionBean.class)
@Local(TestSessionBean.class)
@RunAs("testRole")
@SecurityDomain("other")
public class TestSessionBeanImpl implements TestSessionBean {


            P.S: Remember to use the @SecurityDomain from the correct package. The package names are different in 4.x and 5.x of AS.


              • Actions
            • 3. Re: @RunAs doesn't work in JBossAS 4.2.3?
              amcdowell Apr 16, 2009 3:18 PM (in response to amcdowell)

              I researched this a little more. My example above is actually wrong. I tried to simplify my actual problem, and simplified it too far.

              According to EJB 3.0 Section 17.2.5.2:


              Note that isCallerInRole(String roleName) tests the principal that represents the
              caller of the enterprise bean, not the principal that corresponds to the run-as security identity
              for the bean, if any.


              So my above example will never print true in a compliant container.

              However my real problem is actually the more complex example (properly using RunAs): 

              public interface CalleeSessionBean {
 public void execute();
}



              @Stateless
@TransactionManagement(TransactionManagementType.CONTAINER)
@Remote(CalleeSessionBean.class)
@Local(CalleeSessionBean.class)
public class CalleeSessionBeanImpl implements CalleeSessionBean {
 @Resource
 private SessionContext context;

 public void execute() {
 System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName());
 System.out.println("CallerInRole(testRole): " + context.isCallerInRole("CallerRole"));
 }
}



              public interface CallerSessionBean {
 public void execute();
}




              @Stateless
@TransactionManagement(TransactionManagementType.CONTAINER)
@Remote(CallerSessionBean.class)
@Local(CallerSessionBean.class)
@RunAs("CallerRole")
public class CallerSessionBeanImpl implements CallerSessionBean {
 @Resource
 private SessionContext context;

 public void execute() {
 InitialContext initialContext = new InitialContext();
 CalleeSessionBean callee = initialContext.lookup("CalleeSessionBean/local");
 callee.execute();
 }
}


              In this case, the Callee still prints false, despite the fact it should have aquired the RunAs CallerRole.

              I traced through the code and the problem is due to https://jira.jboss.org/jira/browse/EJBTHREE-741, a defect in the RunAsSecurityInterceptor. Even though the issue claims it was applied to AS 4.2.0, it does not appear to be. It is however applied to the 5.0.0+ branches.

              Bottom Line: the answer to my own question is: The @RunAs EJB 3.0 annotation is broken in the 4.2.x branches, but does work correctly in the 5.x branches.


                • Actions