4 Replies Latest reply on May 14, 2009 12:15 PM by Elli Schwarz

    @RunAs doesn't work for @Service beans

    Jeff Schnitzer Newbie

      The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean.

      Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role:

      public class ServerService implements ServerManagement, Server
       public void serve() {...}

      The client tries to call the server:

      public class ClientService implements ClientManagement
       @EJB Server server;
       public void start() { server.serve(); }

      This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized".

      This worked in 4.2. Is there a workaround for 5.0.1?