I have some additional info, maybe anybody has a clue what I don't see.
I went through all interceptors when invoking a method on the EJB.
I have an authenticated subject, a valid runAsIdentity consisting of princpal and role.
I saw that "SecurityActions.pushRunAsIdentity(runAsIdentity);" pushed the correct runAsIdendity assembled from ejb-jar.xml and jboss.xml
-With the SessionContext in the Ejb I can successfully call
and get a valid Principal back as defined in RunAs.
-SecurityRoleRefMetaData.getRoleName() called by EnterpriseContext returns the correct roleName.
But SecurityActions.getContextSubject() returns NULL
Does anybody have a clue what I can do?
Thanks for helping
When I do a IsCallerInRole("role") it calls
SubjectPolicyContextHandler.getAuthenticatedSubject(); which returns NULL
SecurityContext.getIncomingRunsAs() also returns null
I do not understand this, since I explicitly do a login before creating / calling the EJB.
This is my l appliaction-policy:
<login-module code="ch.abacus.flow.jboss.security.auth.SystemLogingModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
The EJB 2.0 runs in MyRealm, and both login-module succeed.
Still hope for any hints.
Ok, I think I isolated the problem.
SecurityActions.popSubjectContext() is called after every call and an authenticated subject is pushed before every call.
So when I arrive at my ejb method, the context is good and context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view (BYPASS_SECURITY). When calling these EJB's the authenticated subject is set to NULL and left to NULL.
After return of these EJB calls the authenticated subject is still null and that's why my further context.isCallerInRole() from my current EJB fail.
Does anybody have an idea how to work arround this?
Ok, I fixed my problem.
As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.
I edited the corresponding jboss.xml and added a
In login-config.xml I added:
1. <application-policy name="EjbRealm">
3. <login-module code="org.jboss.security.ClientLoginModule" flag="required">
4. <module-option name="restore-login-identity">true</module-option>
note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.
Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.
Hope this help others.