4 Replies Latest reply on Jan 12, 2012 10:45 AM by jaikiran pai

    Should EJB security be working in 7.1CR1b?

    Stephen Coy Master

      I have an arquillian test that performs a JAAS login, looks up the EJB and then executes the method. However the security context does not seem to be propogated through to the EJB:

      {code}

          @Test

          public void testProduceClientSecurityRoles() throws LoginException {

              LoginContext loginContext = new LoginContext("other", this);

              loginContext.login();

              assertTrue(Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Set<SecurityRole>>() {

       

                  @Override

                  public Set<SecurityRole> run() {

                      ClientSecurityRolesProducer sut = lookupInJNDI("java:app/test/ClientSecurityRolesProducer");

                      return sut.produceClientSecurityRoles();

                  }

       

              }).contains(SecurityRole.USER));

          }

      {code}

       

      The EJB is a stateless nointerface bean and the invoked method looks like:

       

      {code}

          @Produces

          @Client

          public Set<SecurityRole> produceClientSecurityRoles() {

              logger.info("Producing user roles for user " + sessionContext.getCallerPrincipal());

              logger.info("Subject principals are: " + Subject.getSubject(AccessController.getContext()).getPrincipals());

              return SecurityRole.getUserRolesFrom(sessionContext);

          }

      {code}

       

      The JAAS login works great, but the log output I get is:

       

      {noformat}01:12:09,972 INFO  [com...ClientSecurityRolesProducer] ... Created

      01:12:09,976 INFO  [com...ClientSecurityRolesProducer] ... Producing user roles for user anonymous

      01:12:09,977 INFO  [com...ClientSecurityRolesProducer] ... Subject principals are: [testUser, CallerPrincipal(members:testUser), Roles(members:user,developer,administrator)]{noformat}

       

      Is this still on the TODO list or is something else wrong?

       

      Thanks