I am trying to trigger a call to a secured session bean from a Message Driven Bean.
The session bean is "governed" by JAAS security domain.
Accessing the session bean from another session bean is running fine including security checks and valid user context.
The problem starts when I try to use login module and access the session bean in an "async" way.
No matter what I do, I get an Ejb Access denied exception.
The weird thing is that introspecting the Subject in the privileged action (see below) returns the right user and roles (which can access the session bean if I am not using the MDB).
Any hint?
Here is a code snippet:
@MessageDriven( activationConfig = { @ActivationConfigProperty( propertyName = "destinationType", propertyValue = "javax.jms.Queue"), @ActivationConfigProperty( propertyName = "destination", propertyValue = "queue/myQueue") }) @SecurityDomain("mySecurityDomain") public class myMDB implements MessageListener { .... @EJB private MyEjb myEjb; .... @Override public void onMessage(final Message message) { try { final LoginContext loginContext = new LoginContext("mySecurityDomain", new PassiveCallbackHandler("testUser", "testPassword")); loginContext.login(); Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Boolean>() { @Override public Boolean run() { try { myBean.testAccess(); return true; } catch (final Exception e) { e.printStackTrace(); } return true; } }); } catch (final JMSException e) { e.printStackTrace(); } catch (final LoginException e) { e.printStackTrace(); } } ....