1 Reply Latest reply on Jan 31, 2002 5:15 PM by Åsmund Hjulstad

    use-caller-identity and permssions

    I Kam Newbie

      Hi all,

      I have a session bean, in the deployment descriptor,
      I have assigned the following:

      <security-identity>
      <use-caller-identity/>
      </security-identity>

      I also have one method within the session bean that
      retrieves a list of files from the operating system. I
      want this method to execute under the caller's identity.
      When I login to the session bean using the id "caller1",
      my println statement within that method says my principal
      name is "caller1", which is correct. Same for "caller2",
      etc.

      The problem: I want the method to retrieve the list of
      operating system files according to the read/write/exec
      permissions as defined on that machine. So, for example,
      if caller1 does not have permission to read file A, then
      that method should return an exception.

      However, even though the file permission does not give
      caller1 permissions, caller1 can still read/write/exe
      the file. So, the problem is, it seems like that
      method is NOT executing as the caller's identity. But
      rather, it's executing as the userid of the user that
      started the JBoss server.

      What am I doing wrong here? My goal is to get the
      methods to do something according the the caller's
      identity and permissions associated with the server's
      operating system permissions.

      I would appreciate any help! Thanks in advance!

        • 1. Re: use-caller-identity and permssions
          Åsmund Hjulstad Newbie

          The "use-caller-identity" -tag relates to method invocations on other beans and managed resources(?). File system access from the session bean is not intercepted by the security infrastructure in JBoss.

          And also, btw, file system access from beans is against the spec, you might want to do the file system access from a MBean of some sort. To accomplish what you want with regards to security, you'll probably have to do the mapping between principals and unix usernames yourself.

          Åsmund Hjulstad