3 Replies Latest reply on Feb 14, 2004 10:44 AM by Scott Stark

    unauthenticatedIdentity and user roles

    roberto roberto Novice

      I have a ejb method "M1" that run as role "A", this method call another ejb method "M2" that require role "B".
      I have set a unauthenticatedIdentity in the login-config.xml to user "MyUser" and set roles for this user to "A" and "B" (in user and role properties).
      But when the first method (M1) try to call methos M2 an exception occurs.

      java.lang.SecurityException: Insufficient method permissions, runAsRole=A, method=create, interface=HOME, requiredRoles=[B]

      I have check the user retrieved using the getCallerPrincipal and this is correct.. the response is "MyUser".. the same set as
      unauthenticatedIdentity .

      What append ? or how unauthenticatedIdentity works ?
      Any workaround ?

      Also i have try to set as unauthenticatedIdentity a non existing user... and.. suprise... this user is used but the same exception occurs...
      So i think that the unauthenticatedIdentity jboss doesn't retrieve roles, but use only the role in the Run-As clause

      Ty