You must specify a security-role-ref in ejb-jar.xml for all roles used in isCallerInRole()
I am seeing a similar thing with 2.4.3. I am using a custom LoginModule to set the roles. Everything executes properly, but isCallerInRole returns false.
However, if I use the code in this thread to check the Roles it returns with the proper Roles set.
I am not sure where the difference lies.
Thanks for your ideas, guys.
I am properly referencing the role in the EJB descriptor, and the very same EJB descriptor works as expected under Weblogic.
Ryan, I checked out your suggestion, but it still doesn't seem to quite work right. It does work (under 2.4.4) when the role is assigned to the actual bean that is trying to access it (through the bound Subject, as per the code you referenced). But, what I'm interested in is checking the roles of the caller (which is what I thought isCallerInRole is supposed to be for.) However, even when a caller bean has the role (as verified from within that bean through the hack you referenced), the invoked bean does not see that role in its runtime bound Subject (and I don't think it should, either.)
I've spent some time looking through the 2.4.4's JaasSecurityManager code, and I'm now convinced that the misbehavior is not a "feature" of JBoss but indeed a bug having to do both with broken LoginModule handling and with dysfunctional caller tracking. Amazingly enough, caller identity is tracked properly when it comes to method permissions so that a caller bean cannot invoke methods on a target bean without having the appropriate role. I haven't looked at the 3.0 code in CVS (frankly, I don't have any more time), but hopefully the JBoss developers will correct the problem in the future.
A "workaround" that'll have to suffice for me is a System property to flag JBoss environment, and depending on whether the property is set either proceeding with role-specific code (on well-behaved app servers) or assuming defaults (on JBoss) -- which isn't too unsafe since at least the JBoss method permissions can filter out unauthorized callers.
Uhm, I just realized the first "paragraph" above addressed to Ryan doesn't make much sense without further clarification... The invoking bean has the RESTRICTED role, while the bean being invoked is configured with </use-caller-identity> in its run-as segment. The invoked bean does not see the caller identity. If I do not set up a security domain for the invoked bean in the jboss.xml, its EJBContext throws an exception complaining there's no security context when I try to invoke isCallerInRole() (even though it's supposed to use caller identity.) If I do set up a security domain, getCallerPrincipal() returns the principal assigned to the bean through its LoginModule, instead of the principal of the caller that it's supposed to return!
I'm experiencing similar difficulties. It appears
to me that I'm setting everything correctly and yet only
the JBoss specific subject code works. IsCallerInRole
always returns false. Is this a known bug? If so are there
I failed to mention in my previous post that the version
of JBoss I'm using is 2.4.6.