I use custom written JAAS LoginModule for the authorization in my EAR.
I annotated MDB with @RunAs
Secured stateless bean's method is invoked from onMessage() callback.
When invocation of SLSB takes place, container firstly invokes my own LoginModule and tries to perform authentication.
Is that normal and intended behavior? (I thought that @RunAs annotation should tell container to skip authentication)
My implementation of LoginModule is based on UsernamePasswordLoginModule, which basically fails in its UsernamePasswordLoginModule.login() and propagates exception up to resulting "javax.ejb.EJBAccessException: Invalid User"
Thus, invocation of secured EJB fails although MDB is annotated with @RunAs.
If the behavior to invoke LoginModule is as intended, then does it [class LoginModule] have any means to detect that @RunAs directive is attached?
I applied the following workaround:
MDB calls non-secured EJB A which has only local interface and is annotated with @RunAs.
That EJB A is able to invoke secured EJB B which has remote interface.
Thus trouble is solved by the invention of the mediator EJB A.