2 Replies Latest reply on Jul 26, 2015 8:22 AM by Greg Jewell

    WildFly 9.0.0.Final not honoring @RunAs?

    Greg Jewell Novice

      Hello,

       

      I've got an application that utilizes the @RunAs annotation to invoke stateless EJB methods that require authentication.  In JBoss 7.1.1 and pre-release versions of WildFly 9, this worked without issue.  With the final release of 9, however, the method calls are blocked with the following error message:

       

      WFLYEJB0364: Invocation on method: ... of bean: InvokerBean is not allowed.

       

      The InvokerBean is looked up by a non-bean using the InitialContext.lookup methodology.  InvokerBean is annotated with @RunAs("AUTHENTICATED_USER") and @SecurityDomain("SAMPLE").  The bean that's being invoked is acquired via injection oin the InvokerBean, and is annotated at the class level with @SecurityDomain("SAMPLE") and at the method level with @RolesAllowed("AUTHENITCATED_USER").

       

      Can anybody confirm this, or do I need to do something additional with WF9?

        • 1. Re: WildFly 9.0.0.Final not honoring @RunAs?
          jaikiran pai Master

          Greg Jewell wrote:

           


          The InvokerBean is looked up by a non-bean using the InitialContext.lookup methodology.  InvokerBean is annotated with @RunAs("AUTHENTICATED_USER") and @SecurityDomain("SAMPLE").  The bean that's being invoked is acquired via injection oin the InvokerBean, and is annotated at the class level with @SecurityDomain("SAMPLE") and at the method level with @RolesAllowed("AUTHENITCATED_USER").

           

          Can anybody confirm this, or do I need to do something additional with WF9?

          What you have there should be good enough. I don't see anything obviously wrong or missing. Can you add the exact exception stacktrace and the bean code? Perhaps attach a reproducible application too.

          • 2. Re: WildFly 9.0.0.Final not honoring @RunAs?
            Greg Jewell Novice

            I'm sorry -- I was given incorrect information.  This was an area of the code that I don't have the ability to test because it deals with an external system that I don't have access to.  The code did not work on WF9 CR2, either.

             

            The exception wasn't being thrown when the InvokerBean with the @RunAs annotation was trying to invoke another gated EJB, but when the POJO was trying to call a method on the InvokerBean.  Since InvokerBean was also annotated with @SecurityDomain, it needed to be invoked by a valid user.  In AS7, the default access was @PermitAll if something wasn't explicitly labeled with permissions.  In WF8, the default changed to @DenyAll.  I made the appropriate code changes, and things started working again.

             

            Sorry about the false alarm -- I should have checked into this more closely.