4 Replies Latest reply on Jan 12, 2012 10:45 AM by jaikiran pai

    Should EJB security be working in 7.1CR1b?

    Stephen Coy Master

      I have an arquillian test that performs a JAAS login, looks up the EJB and then executes the method. However the security context does not seem to be propogated through to the EJB:



          public void testProduceClientSecurityRoles() throws LoginException {

              LoginContext loginContext = new LoginContext("other", this);


              assertTrue(Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Set<SecurityRole>>() {



                  public Set<SecurityRole> run() {

                      ClientSecurityRolesProducer sut = lookupInJNDI("java:app/test/ClientSecurityRolesProducer");

                      return sut.produceClientSecurityRoles();







      The EJB is a stateless nointerface bean and the invoked method looks like:





          public Set<SecurityRole> produceClientSecurityRoles() {

              logger.info("Producing user roles for user " + sessionContext.getCallerPrincipal());

              logger.info("Subject principals are: " + Subject.getSubject(AccessController.getContext()).getPrincipals());

              return SecurityRole.getUserRolesFrom(sessionContext);




      The JAAS login works great, but the log output I get is:


      {noformat}01:12:09,972 INFO  [com...ClientSecurityRolesProducer] ... Created

      01:12:09,976 INFO  [com...ClientSecurityRolesProducer] ... Producing user roles for user anonymous

      01:12:09,977 INFO  [com...ClientSecurityRolesProducer] ... Subject principals are: [testUser, CallerPrincipal(members:testUser), Roles(members:user,developer,administrator)]{noformat}


      Is this still on the TODO list or is something else wrong?